Authentication for webservice call in android

Question

I was trying to write an android app that would send an email coming from the user's email address without opening up another email app. This should be done in the background. I posted a question here but it turns out, I would need to include the username and password in the code for this to work. However, I am not fully comfortable with this approach.

Now, what I'm thinking is to create a webservice hosted in my web server that would do the email sending. The android app will post to this webservice and send all the information (user's email address, message, etc.). This means that the webservice is available online and if someone finds out about it, they can utilize this service and I would get a bunch of spam mail. What is the best approach of adding security here? I'm thinking of sending a "secret code" along with the service request that will be verified in the server. Will users be able to sniff the data being sent to my webservice and read the "secret code"?

Answer 1

You can't. If your app contains credentials to the webservice, someone could simply decompile the app and extract the credentials or use network traffic capture software to observe what your app sends to your server. Either way, you're exposed.

Your best bet is probably to limit the utility of your webservice to spammers by generating the email content server-side based on submitted fields.