How to validate the origin of a web service invokation

Question

Suppose you have a mobile application (Windows Phone or Android) that connects yo your back-end using SOAP.

For making it easy, let\'s say that we have a Web Service

Answer 1

In general, the model looks like:

• Server authenticates itself to the many clients with a certified public key (this is the whole Public Key Infrastructure, Certificate Authorities, etc)
• Each client identifies itself to the server via some other authentication system (in 99.9% of cases, this is a password)

So if you're wondering how this sort of thing works in the case of banking apps, etc that's basically how it breaks down: (1) Client and server establish a secure channel such as a shared secret key, using the server's public key, (2) Client authenticates via this secure channel using some other mechanism.

Your question specifically, however, seems more aimed at the app authenticating itself (i.e., any request from your app is authentic) with the thought that if only your app can be authenticated, and your app is well-behaved, then everything should be safe. This has a few implications:

• This implies that every user of your app is trusted. In security terms, they are part of your "trusted computing base".
• Attempting to achieve this sort of goal WITHOUT considering the user/user's computing platform as trusted is essentially the goal of DRM; and while it's good enough to save money for music publishers, it's nowhere close to good enough for something really sensitive.

In general:

• The problem that you're specifically looking at is VERY hard to solve, if you're looking for very strong security properties.
• You likely don't need to solve that problem.
• If you give us some more context, we might be able to give you more specific advice.