securing a webservice for use from a custom iphone app only

Question

I want to create an iphone application which consists of two parts: The app itself and a server side component.

On a users request, the app sends data to the server which is to be handled by human operators.

To prevent abuse from an iphone app user, the id of the iphone is sent along with the request, and the operators can blacklist pranksters to deny their iphone access to the service.

So far so good. Now the problem is: Someone could easily discover the address of the serverside component, and write a script to send bogus requests, using multiple IP addresses etc.

So my question is: how can I defend myself against this?

Captchas to protect against scripted attacks or requiring the user to register himself are not an option for this particular application.

If I had control of the download, I would associate a unique ID with each downloaded app, but obviously this is not an option with the appstore.

What would be your approach to make the server side part more secure?

Edit:

What about a challenge response scheme where the server sends a token to the client, based on that the client constructs a new token with an algorithm know to both ?

At least this makes it harder for an attacker because he has to reverse-engineer the ARM binary. Do you have any experience (I have 0) with a similar approach ?

Answer 1

As part of your iPhone app you could include sign-up/registration functionality, and during that process, collect the ID of the iPhone. So on your server, you would have a list of VALID id's, and you can ignore requests from any iPhones not on the list (and also bogus/faked requests).

Answer 2

I don't think this is possible.

Answer 3

The iPhone application could digitally sign a registration message (containing the device ID) and send it to the web application. Of course, this only works until someone extracts the key from the iPhone application, but it might hold out for .. say half an hour.

Really, you can't. Sorry.