I'm a developer who knows little about security! I have a web service that feed data to my android application. I want to make sure only my app can access the web service and block anybody else!
After searching a bit i came up with token generation algorithm. I generate a token in my app then in my server i check if it's created by my algorithm or not. The problem is, i have to create tokens that are either
- Usable on time only
- expire in short time (like 30 seconds)
but how?!
I really don't want to store tokens because i have 1M+ users and storing tokens for each request they make is just not manageable!
I also can't put user device time in token since it may not be correct! I already write an algorithm that works like this
String token = "some random string" + "date time" + "hash of random string and time"!
Now in my server i can check if time is not expired yet and hash code is correct. But if some of user don't adjust time on their device correctly they will be blocked too!
So what are my alternative?!
An alternative to limiting access would be for your webservice to serve up encrypted content, so that only your app (which would hold the decryption key) could make use of it.