I have built my app using PhoneGap
and everything is working fine. My question is regarding security of this access.
In this app, the user needs to login providing username and password (which I keep in localStorage
). After logged in, the app calls a lot of WebService methods and there is no security (I can get data even from URL in the browser passing the correct params).
The existing security (almost none) is good enough to regular users, but it is not difficult to verify HTML and discover what are the params of WebService and get the data.
A way I thought is always pass username
and password
to server as method params to check if that user is able to get that data.
What is the best approach?
I can call the WebService from URL like:
http://benfaniz.com.br/WebService.asmx/AAA_Buscar_Nome_Condominio
With Javascript I use:
var theUrl = "https://benfaniz.com.br/webservice.asmx/AAA_Buscar_Nome_Condominio";
xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
//the code after getting data
};
xmlhttp.open("GET", theUrl, false);
xmlhttp.send();
Since, the data is in XML format, I also use the following script to convert data to JSON (I don't think it is relevant for the question but it could help someone)
<script src="https://jquery-xml2json-plugin.googlecode.com/svn/trunk/jquery.xml2json.js"></script>
The WebService method is defined like:
<WebMethod()> _
<ScriptMethod(ResponseFormat:=ResponseFormat.Json, UseHttpGet:=True)> _
Function AAA_Buscar_Nome_Condominio() As String
Dim _Condominio As ClCondominio = ClCondominio.Retorna_Condominio(1)
Return _Condominio.Nome
End Function