Secure / Authenticated interaction from a WP7 app

I am working on a WP7 application. This WP7 application will interact with some web services that I have created. I do not want other applications interacting with these web services. The reason why is because I do not want them stealing my data. With that in mind, here is what I'm currently doing:

• Connecting to web services via HTTPS
• Making my users initially login to the application
• Passing the users username / password with开发者_JAVA百科 each web service interaction

At this time, I don't see what is stopping a malicious developer from creating a username / password combo and using that account in their application to interact with my web services. How do I really lock this thing down?

Thanks!

As a start towards a more secure system you should stop storing the password and sending it over the wire with each request (even if you're using SSL).

If you must pass it with each request, store a salted hash of the password and use that instead.

I'm using a multi layered approach to this problem. I recommend thinking creatively and using a variety of methods to validate that requests are coming from devices you expect requests to come from.

Alternatively, if there is any merit in your scenario, open up your api to 3rd party developers and make this work toward your objectives.

If you do decide to store a key in your app, don't store RAW text but instead declare a byte array of the UTF8 values, this won't be as easy to read.

You can then handshake with your service using a salted hash of the key the first time the app is run, the service hands out another key for the device to actually use day-to-day.

The phone should have an almost accurate time, so you can recalculate the key each day or hour. You can also revoke the key at the server end for just that device.

This API will be useful in ensuring you can blacklist a device permanently.

DeviceExtendedProperties.GetValue(“DeviceUniqueId”).ToByte();

I've not looked into symmetric encryption by you might even be able to use the above unique ID as a private key.

I think the key to success is that first hand-shake, and ensuring that is not snooped. If it's a really important system, then don't use any of these ideas since rolling your own encryption is always flimsy to anyone with serious intent - use well-known methods and read up.

Luke

You could introduce an "Authorized Application ID" feature where the application sends its name or identifier within each HTTP request body. Then on the server side you can verify the application's identity (e.g. store the authorized app ID's in a table). The application ID would be encrypted within the HTTP(S) body.

This would also give you the option of pushing out new application ID's in updated versions of the WP7 application if you wanted to get rid of an older application ID. You'd also be able support new applications on difference devices or platforms in the future.

You may want to look at this http://channel9.msdn.com/Blogs/Jafa/Windows-Phone-7-Trade-Me-Developer-Starter-Kit