Reputation: 369
Using certificates or other authentication for validating against webservice
I'm creating an app at the moment, and the idea is that it should be found in both a paid and a free version.
Both versions are depending on a webservice in the background for making queries against a database. This is the real meat and core of the entire project.
The free version allows a user to make queries and such, while the full version can make queries but also download parts of the requested items. In other words, the full version wont require full internet access.
My problem is that I want to do my best to avoid that a 3rd party can create his own front-end and use my webservice / database. Authentication and authoritization is further complicated by the fact that I want to avoid storing any user information on the servers.
I have been searching forums thin for a solution, and since we're writing 2014 there might be some suggestions which are better than the ones I have found, which mostly contains a username or a token of some kind.
The only solution I can really see at this moment is using certificates to be used in both apps and on the server to validate and authorize. Maybe even stretch it by creating a new certificate each month for both the apps and servers.
Right now I have free hands to develop the serverside solution in whatever language and framework I choose.
Does anyone have a definitive solution on how to avoid people who don't have the app to get access to webservice resources?
Upvotes: 0
Views: 56
Answers (1)
Reputation: 93559
There is no way to do this 100% without storing information on your servers. Anything else requires you to trust data from a client you don't physically control, which is a security mistake.
Now if you want the 90% solution, you can use https to access your servers and send a key in each request. The key would be a random 128 or 256 bit number. Use a different one for paid and free. If they don't transmit up the correct number, send down an error code instead of the real data.
Now anyone who really cares could reverse engineer this and break your code because the authentication data is client side. But in reality only a handful would ever care, even if your app ever becomes big enough to care about.
Upvotes: 1
Related Questions
- secure verification process between android app and server
- How a mobile app can authenticate itself to a server?
- Securing communication from android to a web service
- How to use HTTPS for webservice and android app?
- best way to do in android client and secure web service
- Android - validating self-signed certificates in addition to normal SSL certificates
- SSL certificate for REST web services (used by Android)?
- Android APP that consumes a webservice how to authenticate users
- Receive & Validate certificate from server HTTPS - android
- Secure requests to a Webservice via Android