views:

119

answers:

2

Hello,

The title says it all, I have a Web Service written in .NET that provides data for an iPhone application. It will also allow the application make a "reservation."

Currently it's all internal to the corporate network but obviously when the iPhone application is published I will need ensure the Web Service is available externally.

How would I go about securing the Web Service?

There are two aspects I'm looking into:

  • Authentication for accessing the web service
  • Protection for the data being transferred

I'm no so bothered about the data being passed back and forth as it will be viewable in the application anyway (which will be free). The key issue for me is preventing users from accessing the Web Service and making reservations themselves.

At the moment I am considering encrypting any strings in the XML data passed back and forth so only the client can effectively use the web service sidestepping the need for authentication and providing protection for the data. This is the only model I have seen but I think the overheads on the iPhone and even for the web service make for a poor user experience.

Any solutions at all would be most welcome?

Thanks

+3  A: 

Just use https to make your web service calls. You can then employ whatever authentication you want and maybe receive back a token which will be passed to subsequent web service calls. Your authentication details and your data will then be secured. There will be some overhead but it shouldn't be huge.

s1mm0t
Hi s1mm0t, I think we're going to try https to encrypt the data in transit. So you get an upvote thanks. As for the authentication well I don't know what I want which was why I was asking for ideas, so cheers for the answer but I'm accepting dwery's as is pointing me down a certain path.
David A Gibson
+1  A: 

http is the simple answer, but you should not only provide the server with its own certificate, but give one to each mobile device. This allows for mutual authentication.

If you can't do this, you can employ AES to sign the messages from the iphone to the server, using a shared secret known only to the server and the iphone, but never transmitted in plain:

signature = AES(data + iphone udid + shared secret) (or something to that effect)

You should choice a way to distribute the secret that allows you to verify the other part.

dwery
Thanks dwery, I hadn't thought about mutual authentication other than using the UDID as is to make a count of reservations per hour. I'll work on creating signatures and using AES as well as https. If I come up with a solution I'm not too embarrssed about I'll post it back here as an answer, cheers
David A Gibson