问题
I'm using (with satisfaction) some web services from an Android application.
I use https (I bought a SSL certificate).
I want to prevent unwanted accesses from others that know the urls of my web services.
I use a "secret key" that the app must provide to the web service method, but it's stored in a constant variable inside the code and I know this is not the best solution to ensure security.
Android web service call (using ksoap):
try {
SoapObject request = new SoapObject(configuration.getNamespace(), methodName);
request.addProperty("securityKey", SECURITY_KEY);
C# web service
[WebMethod]
public string UserRegistraion(string securityKey, string data)
{
if (securityKey != Environment.SecurityKey)
{
return "WRONG_KEY";
}
What's the best way to achieve the definitive solution?
EDIT:
As someone suggested, I asked the same question also on security.stackexchange.com
https://security.stackexchange.com/questions/30850/web-services-how-prevent-illegal-accesses
回答1:
You simply can't do this. You should obfuscate your code. This is an old battle of software developers vs. crackers
You can't block someone on using/analyzing a code that resides on the client-side, but you can make it difficult in a point that almost all people will give up on doing it because it is too much hard to exploit your code.
来源:https://stackoverflow.com/questions/14855902/c-sharp-webservice-and-android-app-how-prevent-illegal-accesses