0

I'm using (with satisfaction) some web services from an Android application.

I use https (I bought a SSL certificate).

I want to prevent unwanted accesses from others that know the urls of my web services.

I use a "secret key" that the app must provide to the web service method, but it's stored in a constant variable inside the code and I know this is not the best solution to ensure security.

Android web service call (using ksoap):

try {
    SoapObject request = new SoapObject(configuration.getNamespace(), methodName);

    request.addProperty("securityKey", SECURITY_KEY);

C# web service

[WebMethod]
public string UserRegistraion(string securityKey, string data)
{
    if (securityKey != Environment.SecurityKey)
    {
        return "WRONG_KEY";
    }

What's the best way to achieve the definitive solution?

EDIT:

As someone suggested, I asked the same question also on security.stackexchange.com

https://security.stackexchange.com/questions/30850/web-services-how-prevent-illegal-accesses

Community
  • 1
  • 1
Seraphim's
  • 12,559
  • 20
  • 88
  • 129
  • You can use a dynamic Key Generation Algorithm that is known by both Client/Server side and before any communication, Client-Server needs to negotiate on the Dynamic Key (rather than a static key). To make your algorithm for dynamic key generation safe, you may try to obfuscate your source code using Proguard before publishing the application. – Gaurav Arora Feb 13 '13 at 14:38
  • 1
    @GauravArora sure, but as you said: its just some tricky kind of obfuscation. If someone decompiles his app, and searches for that "dynamic key generation" he is still able to get access. – Rafael T Feb 13 '13 at 14:40
  • Yes, I agree. It doesn't seem to be the "definitive solution" I'm searching for. And yes, the solution suggested by Gaurav is better than mine. – Seraphim's Feb 13 '13 at 14:43
  • 1
    Does your app have some form of authentication? Have you considered oAuth? – Brian P Feb 13 '13 at 14:46
  • Would this question be better answered at http://security.stackexchange.com ? – James Snell Feb 13 '13 at 14:46
  • maybe, but I'm wondering if Android(ksoap)/C# have a standard mechanism to achieve the solution... – Seraphim's Feb 13 '13 at 14:50
  • @Brian P. I don't know oAuth, I'll give it a try very soon – Seraphim's Feb 13 '13 at 14:52

1 Answers1

1

You simply can't do this. You should obfuscate your code. This is an old battle of software developers vs. crackers

You can't block someone on using/analyzing a code that resides on the client-side, but you can make it difficult in a point that almost all people will give up on doing it because it is too much hard to exploit your code.

greenboxal
  • 469
  • 3
  • 16