What you're concerned about is a classic man-in-the-middle attack, and the conventional/simple solution is to use SSL, as SSL will ensure that the target host has a certificate which matches the DNS entry.
As long as you don't have registrars willing/able to handle out certs for existing domains they don't control [0], this is fairly durable, and I'm not aware of anything that greatly improves upon just using SSL. (Perhaps you should create & ship your own private certs instead of using those signed by a certificate authority, though this may complicate things as well.) - Jon [0] This HAS happened: http://it.slashdot.org/story/11/08/31/2221248/hackers-may-have-nabbed-over-200-ssl-certificates On Jan 27, 2012, at 2:13 PM, kiklion wrote: > I understand that to access a remote database (SQL server) the typical way is > through web services. Expose functions through the web service and access > the web service through the app. My concern is how to verify a users > credentials. > > Example: > > User logs in, application transmits UN/PW to web service, web service > determines if credentials are valid and returns a true for that username. > Now I can store that he is logged in somewhere in the application and future > transactions are to be that user. Perhaps add a timeout incase the device is > left unattended or if you can catch it being put in 'sleep' mode somehow > have that trigger re-verifying credentials. I have a sense as to how all of > this works. > > However, could someone not see what site the web service is being accessed > at through monitoring the packets? And then with some DNS redirecting host > another service that takes the same parameters for the same function name > and returns true regardless of the password. Then the app assumes he is > logged in when he never verified credentials. > > Can people not determine location of web service through packet > sniffing/other means? > If they know the location of the web service, that gives them access to what > functions are being called and what parameter types to pass. Would SSL > protect this? Is there a better way to validate credentials on a remote > database than through web services? > > -- > View this message in context: > http://mono-for-android.1047100.n5.nabble.com/Passing-Credentials-remote-database-tp5436362p5436362.html > Sent from the Mono for Android mailing list archive at Nabble.com. > _______________________________________________ > Monodroid mailing list > Monodroid@lists.ximian.com > > UNSUBSCRIBE INFORMATION: > http://lists.ximian.com/mailman/listinfo/monodroid _______________________________________________ Monodroid mailing list Monodroid@lists.ximian.com UNSUBSCRIBE INFORMATION: http://lists.ximian.com/mailman/listinfo/monodroid
