I am developing an Android project where I need to connect to the backend C# service to get data.
I am thinking of using JSON to avoid the SOAP message overhead. What is the best way to implement the security for the JSON request to make it not accessible to public and only accessible from the dedicated users.
I am think of getting a token (or SessionID) from server after login using SSL and for all the service calls after login will be using this token to authenticate.
But how should I use the token after login –
1).through HTTP (can it be easily intercepted?)
2).through HTTPs (will there be performance issue if every call is made through HTTPs?)
Could you give some guidance on how to implement it to be secure without effecting performance?
UPDATE!
The Android application is in Hybrid mode which is consisting of webviews and native activities.
How should I maintain the session if the token is base on session? The user can just login and inactive for long period. Should I just increase the session timeout?
I would suggest using SSL even after you acquire the token. Our company deals with projects with banks and health related secure data and we are mandated to use SSL even after the token implementation. We found that the performance is still within reasonable limit even after using https.
Using Https would not be a huge performance hit especially considering the implication of someone could be sniffing your packet and get the token (given we don’t know the access point that the user might be connecting to).
The overhead associated with SSL will happen during the initial handshake since it needs to basically exchange key and encryption algorithm via RSA. However once you pass that initial handshake, the cost is related only to encryption/decryption of the packet and that will not be a huge impact to your app.
As a side note you could also implement security using client certificate on your app to make sure that only the app can make the call to the webservice. This would further secure the call since the hacker would need access to the certificate in order to gain access to the server. Even if they know the login, they cannot access the endpoint without the certificate.