best way to do in android client and secure web service

Question

so i have a problem with unauthorized usage of my c# web service so here it goes

Problem: I have an android client application and it takes data from c# web service.Now my problem is i don't want other people/application to consume the services.So i want to restrict the usage to my application only.

Solution(that i have currently): 1.Create a username/password and store(encrypted form) it in android client application. 2.My android application will send the decrypted username/password to web service. 3.since the username/password is decrypted while journey to web service it is not safe since people can view the information.So my plan is to setup a HTTPS connection to secure the data. 4.When the username/password reaches the web service it performs necessary actions.

I am not sure if this is the right approach but please share your views and sorry if this question is not relevant to site but i desperately need help in this topic.

Answer 1

If https is an option, just use that, and have the app authenticate with basic authentication. Since even the basic auth over https is encrypted, you're fairly safe there -- and what's better yet, your web-server will act as the door-man, never hitting the app server.

If http is all you can do, consider a simple challenge-response protocol: Ping the server and receive an access token. This token is then modified and encrypted by the client, and a new token is generated which the client sends along with each request. Since the client and the server know the algorithm for the response, the server can quickly verify whether the consumer is authorized to access the service.