Reputation: 850
Securing webservice endpoints without user authentication
My scenarios is simple and perhaps not only me deal with. I have an webservice that is used my a number of my mobile apps. I would like my webservice only be accessed from my mobile apps but I don't wish my apps's user be bothered with registering an account. How can I achieve that kinds of security?
I have read about API KEY and OTP, but it doesn't really convince me.
Upvotes: 0
Views: 30
Answers (1)
Reputation: 1273
It isn't possible to do what you want 100%. The reason is that if the security is in your Mobile App, or travels over the internet, it is theoretically possible for someone to read your code or scan your traffic and then impersonate your Mobile App.
However, you can get good results with simple server side checks. EG, from your Mobile App, add a variable into HTTP calls which is checked by your backend. And, most importantly, use SSL. You can make this more complex as well, such as providing a token from the server and then requiring this token back on every call.
It's not unbreakable... but it will deter the casual hacker. And it will probably only take you 10 minutes to implement.
Upvotes: 1
Related Questions
- How can I sanitize user input with PHP?
- Authentication versus Authorization
- What's the difference between text/xml vs application/xml for webservice response
- Posting a File and Associated Data to a RESTful WebService preferably as JSON
- Securing REST API without reinventing the wheel
- RESTful Authentication
- Understanding REST: Verbs, error codes, and authentication
- How should I ethically approach user password storage for later plaintext retrieval?