1

I have created an android application that calls (using kSOAP library) a SOAP based web service (developed in java, netbeans) over the intranet.

Now i want to make the application live, so this will require my web service to be exposed on the internet.

I have following questions...

  1. How do i make sure that no one knows about the web service link except my android application
  2. No one is able to call the web service except my android application
  3. The data transferred between android application and web service is secure and encrypted
  4. What kind of authentication mechanism should be used

I'm new to web services security so forgive me if my questions are dumb :)

orak
  • 2,399
  • 7
  • 29
  • 55

1 Answers1

1
  1. This is impossible. Anyone having your app might use a traffic analyzer like wireshark and see all the requests it makes.
  2. Sign each request you app makes(add some soap header) and check the signature on the server side
  3. Use HTTPS
  4. How to do authentication using SOAP?
Community
  • 1
  • 1
Sergey Eremin
  • 10,994
  • 2
  • 38
  • 44
  • 3 is a matter of Tomcat setup. 2 depends on the nature of your app... In fact this is not possible either(remember icq/oscar protocol?). Even if you sell signatures for the apps to work, someone is going to buy one to reverse-engineer the protocol. As a temporary solution you can send a random string to clients on each request and check if they modify it correctly. The way they modify it is up to you, example: md5(md5(string).md5(string).someconstant). But it is useless in the long run, someone who really needs it can guess/reverse-engineer it. – Sergey Eremin Jul 05 '12 at 13:52