My team will be building iOS and Android versions of an application that would be used by a few hundred employees in the field. We will be developing a .NET webservice in-house for the purpose of providing data to these applications. Since this will be our first foray into mobile development, I’d like to ensure that we do it properly. 🙂
With that in mind, what is the best way to achieve the following:
- Secure the .NET webservice such that no other app other than our ours can consume it.
- Ensure that transmission of data is from the webservice to the client apps is secure.
- Authenticate our users – Windows or Forms authentication?
Also, if there are any good tutorials you can recommend on best practices for developing webservices intended for mobile apps, let me know. Thanks much!
-Use https instead of http with a proper certificate.
-With using IIS rewrite module just allow your app agent name, or block others in web config.
-Let your mobile clients generate unique random UUIDs during first startup of app, use this UUID to identify client, of course you should send this ID with every request and also you should send it in post body not in query string. SSL!. before you do something in web service you can always check received ID is registered or not.
-Addition to unique ID NTLM authentication would work but also you should consider implement OAuth, i suggest 1.0 instead of 2.0. documentation can be found here
for web API this is good place to start