Secure Webservice (WCF) without storing credentials on consumer application
Posted
by Pai Gaudêncio
on Stack Overflow
See other posts from Stack Overflow
or by Pai Gaudêncio
Published on 2010-03-25T05:05:05Z
Indexed on
2010/03/25
5:13 UTC
Read the original article
Hit count: 420
Howdy folks,
I have a customer that sells a lottery analysis application. In this application, he consumes a webservice (my service, I mean, belongs to the company I work for now) to get statistical data about lottery results, bets made, amounts, etc., from all across the globe. The access to this webservice is paid, and each consult costs X credits.
Some people have disassembled this lottery application and found the api key/auth key used to access the paid webservice, and started to use it.
I would like to prevent this from happening again, but I can't find a way to authenticate on the webservice without storing the auth. keys on the application. Does anyone have any ideas on how to accomplish such task?
ps1.Can't ask for the users to input any kind of credentials. Has to be transparent for them (they shouldn't know what is happening).
ps2. Can't use digital certificates for the same reason above, not to mention it's easy to retrieve them and we would fall into the original problem.
Thanks in advance.
© Stack Overflow or respective owner