android - Secure web service requests

Question

I need to make requests to a web service via android application. The webservice can be designed as needed.

It seems to me that no matter which approach I will choose, someone who wants to hack it, will just need to reverse engineer My android appliaction code (which isn`t very hard) and could see exactly what I do, wheather I encrypt the data, use hardcoded Password or any other solution for that matter.

Is there a solution which will be 100% secure?

Answer 1

There is no 100% secure, all you can do is make things harder for your attacker. Things you can consider:

• Encryption - Passing your requests over encrypted channels will stop basic sniffing (this can be countered with MITM)

• Obfuscation - Make your intent harder to understand when they do decompile your app

The second part to this is mitigation - the ability to notice when your app has been compromised and deal with it. A typical way of handling this is to assign a unique token to each client on first run then pass this as an argument on each call to your service.

This way if somebody decompiles your app and figures out how to call your service you can at least start monitoring where the abusive requests are coming from and also monitor for suspicious behaviour (i.e. multiple requests from the same key in a short period across different IP addresses). From there you can start blocking keys.