Reputation: 419
Web or SOAP based integration for Mobile apps
I am looking for some inputs for an enterprise mobile application architecture. It is a for large organization with with hundreds of existing SOAP based web-services for consumption by web based application. We use service accounts for application to web-service authentication and authorization (Application-N with a specific username and password to communicate with web-service-N). These apps are hosted at Android market and iTunes (iPad and Android apps). We also have a need of SAML based SSO for these mobile apps (OAuth is not entertained at the moment).
I am proposing a web-based integration approach for consumption of these web-services from these apps along with a proxy server to intercept these requests from mobile apps. So, the flow would be:
- Mobile app communicates with proxy server using HTTP and JSON.All the SAML SSO workflow is handled by mobile app, service provider which is proxy server and identity provider server.
- Proxy server communicates with web-services using service account and marshalls and unmarshalls the requests and responses to JSON.
The advantage with this approach is:
- Cross platform mobile application development due web-based approach as pointed by: What work has been done on cross-platform mobile development?
- Easier SAML based security integration due to HTTP protocol as opposed to SOAP.
I also see the following issues with SOAP for this project:
- Some hack to use the SAML authentication within SOAP request?
- Since web-service authentication is done using service accounts, so you need to embed password for the web-service with mobile application's code, which I see it as security issues
- Marshalling and un-marshalling SOAP requests and response is expensive compared to JSON for mobile device.
- Since we need to embed the secret(password) in device to communicate with web-service, which is a security issue. http://www.performantdesign.com/2009/09/03/facebook-iphone-session-proxy-in-php-fbsession-getsessionproxy/ So this app-server acts as session proxy.
Is this makes sense? Any flaws with this approach?
Many thanks in advance
Upvotes: 3
Views: 1504
Answers (1)
Reputation: 67019
In all reality the protocol that you choose isn't going to affect the number of vulnerabilities or design flaws a developer is going to implement. You can build a very secure API using any technolgoy.
The real strength of SOAP is that the WSDL file can be used to build automated security tests against the service. So when the developer makes a mistake, you can detect it. Before you release a new version of the API make sure test the code with something like WSFuzzer.
SOAP also has features such as encryption and authentication built into the protocol so you don't have to reinvent the wheal.
Upvotes: 1
Related Questions
- How to use the magento rest api / or soap for mobile app?
- SAML for Native Mobile Apps(Android and IOS)
- Using web service for cross platform mobile app
- Authenticating mobile users against SAML IDP
- RESTful Web Services or SOAP
- SAML client for Android?
- Authentication of mobile native applications
- Protocol to secure a connection between a mobile device and a web service?
- SAML Client implementation for Android?
- What common backend can be accessed securely from an iPhone and Android application?