Agreed they can't see the original parameters, but can't they replay the same encrypted data and make the server believe that the request came from a genuine client? If the server, through some mechanism, is able to validate that the client possesses the original Key and IV before sending the XML data, then your purpose is solved.
-Sandeep On Wed, May 18, 2011 at 3:57 PM, G S <stokest...@gmail.com> wrote: > I'm probably being obtuse here, but I don't see how encrypting your >> request with a public key would help you with your original problem. >> >> What stops a rogue app from doing the same encryption? >> > > They can't see what the parameters are. So what are they going to encrypt? >
