Suppose you have a mobile application (Windows Phone or Android) that connects yo your back-end using SOAP.

For making it easy, let’s say that we have a Web Service implemented in C#. The server exposes the following method:

[WebMethod]
public string SayHallo() { return "Hallo Client"; }

From the server perspective, you can’t tell if the caller is your mobile application or a developer trying to debug your web service or a hacker trying to reverse engineer/exploit your back-end.

How can one identify that the origin of the web service call is THE application? as anyone with the WSDL can invoke the WS.

I know I can implement some standard security measures to the web service like:

• Implement HTTPS on the server so messages travel encrypted and the danger of eavesdropping is reduced.
• Sign the requests on the client-side using a digest/hashing algorithm, validate the signature in the server and reject the messages that have not been signed correctly.
• Write custom headers in the HTTP request. Anyways headers can be simulated.

However, any well experienced hacker or a developer who knows the signing algorithm, could still generate a well signed, well, formatted message. Or a really good hacker could disassemble the application and get access to the hidden know-how of my “top secret” communications protocol.

Any ideas how to make the SayHallo() method to answer ONLY to request made from my mobile application?

We are running in the context of a mobile application, with hardware access, there could be something that can be done exploiting the hardware capabilities.

If someone wonders, I’m thinking on how to make a mobile app secure enough for sensitive applications like banking, for example.

Thanks for your ideas.