Securing RESTful web service being accessed by mobile app

Question

I am developing a RESTful web service as a backend layer for mobile application (accessed from Android and iOS mobiles). The mobile app includes functionality at both pre-login as well as post-login. How can I provide security to my RESTful web service, such that the request can be served only when it is received exactly from our mobile application, and only for authenticated users in case post-login functionality.

I am using a Tomcat server, Spring and Jersey (I can change the versions, if required)

Please make suggestions on how to achieve this at best.

Answer 1

The way to guarantee that a request is coming from a specific client is to require the application to authenticate, which is done through a client credentials grant in OAuth 2.0.

The problem with this is that it requires a client secret (think of an API key or password) to be sent by the client. This secret therefore needs to be stored on the mobile client itself. This cannot be done in a secure way, i.e. the user of the device has access to that secret. This means that is the user cannot be trusted to keep the secret secure, it could leak, enabling everyone to authenticate to your API as your mobile client.

You should build your API in a way that unauthenticated requests (no access token) could be made by any client (not just your mobile app). Any request that exposes any data you need to keep confidential, require user authentication.

Answer 2

First you should use https. It's the minimum to assure security.

To assert the communication came from your application, you can use a token, but it can be stolen.

To assert it came from an authenticated users, your back-end can return a token after login, or use a mechanism like OAuth 2