How to ensure access to my web service from my code only?

Question

I am writing a very simple web service for my iPhone app. Let\'s say this is a http page that returns a random number at http://mysite/getRand. How do I ensure that this pag

Answer 1

Here's one thought - send up the device ID along with requests from your app.

Monitor the device ID's used - if you see a ton of requests from different IP's near or at the same time, that device is probably being used as a fixed key in the requests sent to you - block it.

For those that actually send the real device ID from other apps (not yours), you can monitor usage trends to see if the calls match the pattern of how your app performs - like one call being used by a device before some initialization call you would normally expect, and so on - block those too.

Basically by being able to shift rules around patterns of use, you can better adjust to someone trying to use your service by making sure it's not a fixed target like some random use key would be.

You may also want to use a simple use key as well as a first line of defense, and then layer on the traffic analysis approach. Also custom http header values you look for are another simple way to trip up a naive attacker.