tags:

views:

121

answers:

6
+2  Q: 

Web services Security

Hi I have a question regarding security, and web services.

I need a web service to provide an interface for the underlying mySQL database. I am trying to get a Blackberry Application to store data on the web servers mySQL database through a web service.

My question is, how can I ensure that the bb-application is the only thing that is using the web service? The web service will essential insert data into a table. I want to ensure that only the bb-application is allowed to use this service and not someone who figures out the service and starts spamming my table.

Any pointers, best practices or links are greatly appreciated.

Also what sort of web service is best in this scenario?

A: 

I would go with a REST web service over HTTPS it would take your problems away. I dunno anything about blackberry apps so I can't give u any pointers on how to use HTTPS in that platform.

fmsf  2009-11-14 19:23:08
REST offers no more (or less) security that HTTPS.. Especially considering REST is simply performing processing according to the actual HTTP verb definitions... I'm not exactly sure what you're trying to say here.
Chris Lively  2010-08-23 18:19:27
+1  A: 

I am going to assume that the BlackBerry application is made by yourself as well. How you can then do this is by creating a sequence or hash that only your application can create, that the web service can verify. For instance, in the beginning of the process, or better, for each step the web service sends down a key sequence, which maps to an internal dictionary within your application on the method to make the unique hash.

The flow would then be as follows:

  1. Perform data task in BB application
  2. Ready to transmit data to web service
  3. Create unique hash from data + your own information from the mapped dictionary
  4. Transmit the data with the key
  5. Web Service verifies the key. If validation fails, it discards the data completely, if succeeds, it will then do what it needs to do.
  6. Continue.

HTH

Disclaimer: Assuming this is an open ended WS.

Also see my answer here.

Kyle Rozendo  2009-11-14 19:23:14
A: 

If you are creating a SOAP web service then you want to read about ws-security.

zac  2009-11-14 19:23:20
+1  A: 

Take a look at basic authentication over SSL. Configuring the application to include the username/password in the header should be fairly straightforward and the SSL connection will ensure they're not being transmitted in cleartext.

Chris Pebble  2009-11-14 19:28:45
+1  A: 

Use net.rim.device.api.crypto.HMAC to implement HMAC authentication and validation. Establishing end to end SSL connections on a Blackberry can be problematic and dependent on wireless provider support unless your users are activated on a corporate BES (which I srongly recommend as part of the solution if you want robust security).

Richard  2009-11-14 22:29:03
A: 

Others have indicated using SSL to secure the site. However, that is only one part of the puzzle. Kyle was close with the second, but didn't quite cut it.

The answer is that every single transaction which is posted to your web service must contain some type of authorization key. That key can be pre-shared and baked into the application OR it can be acquired through some other means and set up as part of the application install / configuration process.

Nearly all companies which provide web services online following this method. The idea is that regardless of the underlying protocol (ssl for example) you have to validate that the request is indeed coming from an authorized device / program. Some vendors have the users create a unique key for each user, some for each device, and others just 1 key for the entire organization. Regardless of how deep you take it there is in fact a key.

The key usually isn't that large. It might be anywhere from 15 to 40 alphanumeric characters.

Chris Lively  2010-08-23 18:26:00

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?