Limit web service access to iPhone app

Question

I'm managing the development of an iPhone app that relies on web services to provide catalog access. My main security concern right now is someone accessing my web service and replicating/scraping my entire catalog (right now, it doesn't contain anything proprietary - but that would change).

In short, I need to limit the web service access to my iPhone app. While the app is in beta, I could easily get the iPhone device ID and limit it to only the 5 developers. But when the app goes live, I don't want (and not sure I can legally) collect device IDs for authentication.

I tried limiting access by the user-client string - but that can be spoofed.

My next step is some kind of shared pass phrase - but again, that can be sniffed.

Any other ideas?

TIA,
Guy

Answer 1

Ultimately this is going to go down to authentication. I think you're going to have to use secure communications - namely some kind of certificate based encryption of some value that is only available to the iphone application.

If the Auth can be spoofed then you have no protection against this.

there is some info in this question : Best Security Framework to secure and authenticate an iPhone app which uses REST? or here

http://www.flowmessenger.com/blog/2009/11/10/iphone-and-secure-restful-authentication.html

Answer 2

I have built a similar solution and the way security is addressed it with https access on the server and username password authentication to access the API/ webservice.

I believe you can feel more comfortable limiting by the device id or something else with a higher level of confidence once you implement HTTPS