We have an application in MWS that is hosted on IIS through an iFrame that provides a customer with some account information.
A company has created an iPhone application that pretty much takes the users credentials, from the iPhone, and passes it via the application developers site through to the IIS iFrame path /my/App/Path/?username=&password=.
It then scrapes the response and passes it back to the iPhone in a JSON format.
The architecture we have is:
IIS on https (DMZ) ← ARR → MWS (8.0.2) on https ← WS → IS (8.0.2) <-> DB
OpenLDAP for authentication
My questions to the experts are as follows:
- If we are to have a mobile application that is on iTunes/Android Market (publicly available), how can we secure the IS layer to avoid someone generating applications that aren’t official to use the webservice?
- Do we have support for 2/3 legged OAuth on the IS layer?
- Maybe generate some registration process for the installation of the application to capture device specific details and add it to some sort of white list? Almost like a banking application where you verify by sending sms with a code
Now we can easily install certificates on IS and set up another in the DMZ with remote invoke capabilities, but it’s to just protect against someone decompiling the application and working out the WS endpoint URL.
Any help/pointers on how best to proceed would be much appreciated; even if we have some documentation on best practices would be handy.
Integration Consultant | Software AG | www.softwareag.com
M: +61 405 033 951 | E: email@example.com