How To Secure Web Service Without Login

Question

I have a mobile app (currently IOS and soon Android) which talks to a web service. There is no login and the data is not private. Basically, the app POSTs a marker (lon, lat

Answer 1

The simplest way to implement rate limiting on the server side is to just use a web server plugin/module. For example, if your service is running on apache, install and configure mod_evasive. This will allow you to rate limit based on IP address, service/URL, etc. Mod Evasive will be more effective than what you can implement on your own.

If you use keys, you need to have some kind of captcha based way for the client to get the keys upon signup. You could have it drop accounts for abusive users. Right, of course one parameter would be the timestamp which would be verified as recent and in the past on the server side. The key would encrypt the entire payload along with the timestamp, and be added as an additional parameter. Storing frequency of requests on a per-key basis ends up requiring some kind of round-robin database, unless you only check recency of last request.

No purely client-side rate limit will make any difference. Someone could discover your API on the web without ever even having seen your client. I doubt that a shared secret would be effective for long.

You will find plenty of web services that don't require a password and are merely rate limited... for example, the twitter API offers many rate-limited unauthenticated API services.