Securing a web service so it can only be called by a specific Android application

Question

We have a web service that should only be called by a specific Android app. What solutions are there for this problem?

The requirement is to not use authentication at al

Answer 1

If you're absolutely certain this web service will only need to be accessed by authorized applications/devices, go with client-side SSL certificates and restrict access at the server to only clients with authorized certs. This has the bonus feature of forcing SSL at all times so you don't like auth secrets over an open channel. Here's a quick guide for Apache, but you could use nginx too:

http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500