如何保护地理定位网络服务？

Question

I'm currently developing a mobile app using Sencha Touch 2 and Phonegap. It's a game where you can "check-in" at some places and get some points every time you do a successful one (as in Foursquare).

I'd like to make it impossible for a clever guy (for example, someone that has decompiled my apk) to execute the REST web service (for example, mywebservice/checkin?access_token=abcde&latitude=12345&longitude=6789) with his computer or any other device outside of the app.

Do you have any idea of how I could achieve this ?

Thanks a lot,

Answer 1

In absolute terms, what you are looking for is impossible - if the app on the device contains the key and code necessary to send a valid message, and the device allows the user to decompile apps, then anyone can theoretically reverse engineer it and send whatever messages they want.

In practical terms though, it isn't worth worrying about - nobody will put that much effort into it, and you can probably detect accounts with suspicious activity fairly easily. Just use https and a simple token from the app code to stop anyone who can see the network activity but won't go as far as digging into the app code.

Answer 2

Couple options (depending on your exact scenario):

• Bake user info and the app key into the security API key. This would ensure only valid account holders can use the API. Take a look at OAuth
• Monitor per account or per connection service activity and look for any suspicious patterns. For example, if the app is operating in user think time then you would expect low numbers of calls per second.