Howdy folks,

I have a customer that sells a lottery analysis application. In this application, he consumes a webservice (my service, I mean, belongs to the company I work for now) to get statistical data about lottery results, bets made, amounts, etc., from all across the globe. The access to this webservice is paid, and each consult costs X credits.

Some people have disassembled this lottery application and found the api key/auth key used to access the paid webservice, and started to use it.

I would like to prevent this from happening again, but I can't find a way to authenticate on the webservice without storing the auth. keys on the application. Does anyone have any ideas on how to accomplish such task?

ps1.Can't ask for the users to input any kind of credentials. Has to be transparent for them (they shouldn't know what is happening).

ps2. Can't use digital certificates for the same reason above, not to mention it's easy to retrieve them and we would fall into the original problem.

Thanks in advance.