Secure Webservice (WCF) without storing credentials on consumer application

Question

I have a customer that sells a lottery analysis application. In this application, he consumes a webservice (my service, I mean, belongs to the company I work for now) to get statistical data about lottery results, bets made, amounts, etc., from all across the globe. The access to this webservice is paid, and each consult costs X credits.

Some people have disassembled this lottery application and found the api key/auth key used to access the paid webservice, and started to use it.

I would like to prevent this from happening again, but I can't find a way to authenticate on the webservice without storing the auth. keys on the application. Does anyone have any ideas on how to accomplish such task?

ps1.Can't ask for the users to input any kind of credentials. Has to be transparent for them (they shouldn't know what is happening).

ps2. Can't use digital certificates for the same reason above, not to mention it's easy to retrieve them and we would fall into the original problem.

Thanks in advance.

Answer 1

Briefly, you cannot do this efficiently. You face a similar problem as the video game company.

You might use some form of 'code obfuscation' but it's a form of security through obscurity and you cannot guaranty the effectiveness of this.

You might reduce the exposure by using different keys for each client and, on the server side, ensure a key cannot be used by different client simultaneously. This is basically what the the video game industry does that has a real benefit.

Answer 2

It can't be done.

You have to either embed the credentials into the application (hard coded or whatever) or prompt the user to enter them.

Locking the web services to a single application is also ineffective since it can be easily discovered and bypassed, just like embedding the credentials.

Since you cant control the clients or the environment(restrict access by IP, domain, etc.), IMHO you're pretty screwed :(