Protocol to secure a connection between a mobile device and a web service?

Question

Hi,

I'm looking for a protocol to secure a connection between a mobile device and a web service. I want to ensure that only the mobile device can perform actions on the web service and vice versa. Data doesn't need to be encrypted.

I know Oauth, but it seems that it's more used to secure connections when you got 3 different entities (Server, Consumer and Auth). Here, the Consumer and the User would be the same person.

Is there a simple protocol to do that (without requiring the user to login and then authorize the access token like it is the case for Oauth)?

I need to use it on different plateforms, so the protocol needs to be available at least on iPhone and PHP.

Thanks for your help!

Answer 1

You could probably roll your own with a shared secret / one-way encryption hash over an HTTPS connection.

Then if you want to make sure it's only a particular device, make a hash of the device id + the timestamp + the shared secret on the device, pass it as a parameter to the server, and verify the hash on the PHP side.

Answer 2

You'll need to clarify what you mean by 'secure'. Secure against what exactly? What are you worried about?

That said, https (http over SSL) is a good starting point, this will allow you to authenticate the website to the device (or browser) and is ubiquitous.

If you want to authenticate the device, that's a bit more tricky. You can generate and store a shared secret (a random number) and when first connecting to the site, provide that in the GET/POST....there are many variations on this but the simple ones all stem from establishing a shared secret and anything else is probably overkill. This will allow you to recognise that the same device is connecting again the next time it connects. Think of it like a password for the device to log in with (however it doesn't need to be a word, and probably shouldn't be).

The difficulty with this is that if the program is deleted that secret will be lost, and depending on what you want to do exactly, that may be a problem as the next time the program is run on the same device you'll need to establish a new secret. In that case you'll have no way to know that the device connecting this time is the same as the one that connected before. If you need that, you'll need to use some kind of reset mechanism, which is difficult to do, and amounts to authenticating a user rather than a device.

Note, iphones have a unique identifier but that's not really a secret and providing it doesn't really provide any proof that a given device is connecting. It is no harm to provide it as well, but it's more like an assertion 'I am device foo', rather than a proof of identity. Think of it like the username part of a login - you still need some shared secret.

Answer 3

I found a solution : Use a "2 legged Oauth" protocol.

This way, I stick to the standard, I don't have to reinvent wheel and I have a secured solution.

As the consumer and the user are the same for me, I simply authorize automatically "request tokens" that the consumer is asking when I see that the consumer is logged as the user!

What I'm doing is :

• In SSL : I login as the user and request a consumer key/secret to the server
• The server give me back my consumer key/secret
• In SSL : I login as the user and request a "Request Token" with my consumer key/secret
• The server recognize I'm the user so it automatically authorize the Request Token
• Without SSL : I ask an "Access Token" with my "Request Token"
• The server give me my access Token back
• I use it to perform requests safely