I need to find a solution to make sure my app, which will be distributed as a native App on mobile devices, and ONLY my app can acces my Web Service hosted some place else. In other words, my Web Service should only accept request through legitimate usage of my application, on not by any other means.
The solution i thought about is the following, please tell me if you think there is a better one, or if this one is not adequate:
Counter-Synchronyzed One Time Passwords (CS-OTPs): The basic idea is that each side (the WS and the App) holds a hard-coded secret key, and a synchronized counter. Each time the client app sends a request to the WS, it produces a hash with the secret key and the counter value. The back-end WS does the same and compares the hashes, if they are identical, the authentication succeeds, and both sides increment theirs counters to keep them synchronized. Since the counter is incremented after every successful attempt, the hash will each time be different (thus the name 'One time password').
Why do I think I need a one-time password? Because if the password, or the hash, stays identical, it could be intercepted very easily by the client App user, which could then forge request by himself without the need of the App.
Tell me what you think about that solution.
Many ways to achieve this, my method is to create an encrypted token from the client to server using a secret key as you suggest. I would also include in this encrypted key some information that will aid validation. Include things like IP address, expirey date/time, current time etc. So someone trying to replay traffic would have to come from the same ip address, within a certain time period etc. YOu can vary to suit your own needs. Hope this helps.