How To Secure Web Service Without Login

Question

I have a mobile app (currently IOS and soon Android) which talks to a web service. There is no login and the data is not private. Basically, the app POSTs a marker (lon, lat

Answer 1

I've heard about this idea once, when talking about finding a global solution to SPAM problem: force your client to perform some time-taking computation.

To be precise: find some computational algorithm, that can compute some z for a pair of x and y in a blink of an eye, but it takes some considerable amount of time to compute z being given only x. I can not provide actual algorithm but I am sure that there are plenty of them that would much this criteria.

Now the whole procedure should look as follows:

1. Upon first client request generate some session_id and for this session_id a pair of x and y.
2. Provide your client with session_id and x.
3. Client can start calculations as soon as it receives data (in some background thread not related to user interactions).
4. To request markers, client must provide session_id and calculated z.
5. You can quickly verify if client's z is all right, for you already have x and y that let you easily do it.
6. (option 1) For each session_id store how much/often it is being requested. The moment you suspect it is being abused - force regenerating x and y.
7. (option 2) Force new x and y upon each consecutive request for a session_id.

Choosing between 6 and 7 is actually tweaking that depends on the complexity of algorithm vs. expected 'fair' use of marker database. If your estimates are good - the evil client should never obtain too much data or overload your server.

Hope it helps.