How should I secure my WCF Rest/JSON Services for use with an iOS/Android Application?

Question

We're in the process of building a new web application stack. The back-end functionality will be heavily service based but as some of these services will need to be exposed to the public internet, I'll need to secure them. I've partially succeeded by locking down the service urls using standard membership/role provider model. The part I'm having trouble with at the minute is if we were to ever build an iOS (or Android) application on top of our Service Stack, how would we go about handling security?

I'm completely open to suggestions. I've included some information below on the setup so far.

1. ASP.NET Website using SQL Membership/Role Provider / Forms Authentication running on a HTTPS connection. Only the Default/Login/FAQ Pages are publically accessible. All other pages live in a folder called "/Secure" which requires you to be authenticated.

2. WCF WebService. All backed functionality is provided through this service. Endpoints are only available on the local intranet. the ASP.NET Website Code Behind talks to the service using a standard Service Reference.

3. WCF REST/JSON Services. Some of the above functionality is re-wrapped in a WCF REST/JSON service. This was setup using the "WCF REST Template 40". The service are then routed using System.Web.Routing to "/Secure/jsonsvc/*". Because this is beneath the /Secure folder, it inherits the membership/roleprovider security for any request. e.g. xmlhttp calls to this service from a client side JQuery widget, would only work for users who had already logged into our site.

4. In the future, these same WCF Rest/JSON services may need to be consumed by an external application (e.g. an IPad App). What would the best way to approach this be, given the lack of a HTTP Site/Session/Login context.

Answer 1

As you know, the ASP.NET forms authentication uses a cookie to maintain your authenticated session. Leaving aside any arguments as to whether this is the best way to handle things under a REST methodology, I see no technical reason why you would not be able to use the same cookie in your iOS app.

You would obviously need either a simple login web page (displayed in your app via a UIWebView) or a login REST method to return the cookie to you in the first place, and then on subsequent requests you would simply return the cookie with the request (here is a little bit of information on handling cookies in iOS using the ASIHTTP library).

A couple of important things to keep in mind are that you do not have any control over the wireless network that the device is on so you should definitely be using SSL and also that you should take into account failures/retries/etc for a login REST method just as you would for a login page (if not more so).

Hope that helps!