I'm thinking about this witch, how to can write a web service with more secure.
for example my web url is http://test.com/getdata.php
how to secure this for just access with only my application in mobile app like android or ios or any think.
web service can be REStful or SOAP or any think, what is the best way for this to secure web service to just my app use that.
in android application can be very easy to decompile and get web service address for yse i want to prevent this attack...
how to implement a secure way for this purpose!
Asked
Active
Viewed 1,079 times
0
Araz Jafaripur
- 927
- 2
- 12
- 32
-
@ZekeSonxx no this is not prefered to this post, i want to make secure, android application is weak in decompiling... – Araz Jafaripur Feb 19 '14 at 18:10
1 Answers
2
Securing a webservice to only be used by a particular application is hard, and if you have a persistent attacker then it is probably impossible as they can run your application in some emulator, or on a device where they can scan memory and get information.
So, what is the value that you are protecting? The value that you are trying to protect will decide how much effort to put in.
But, you could have an RSA public key put on each version of your application, and some marker has to be encrypted so only the server can decrypt it, and that will help ensure only your application can call the webservice, but, even if the key is hardcoded inside your application someone can find it if they try hard enough.
Another approach would be to use a zero-knowledge proof to verify the application is who it claims to be, so you would need to have information that is hardcoded into the program that it can look up and answer questions. This should work, but I haven't gone with this approach yet, but may be more secure than just using encryption.
But, the simplest approach is to have users have a login/password, and if someone has valid credentials they can use your webservice, even if they do it from their own javascript page, and if someone is doing something wrong mark their credentials as banned.
If you want to prevent decompilation then you may want to look at this explanation as to why that approach is unreliable: https://stackoverflow.com/a/3122640/67566, which is why I think trying to protect the webservice is the best approach.
If done properly, a zero-knowledge proof should rely on something that depends on how it was compiled, so if someone reverse-engineers the application and recompiles they should get something different enough to fail the authentication.
Community
- 1
- 1
James Black
- 41,583
- 10
- 86
- 166