Limit access to webservice to my app only

[Mark B]

Does anyone know if there is a standard way to limit access to a webservice
(e.g. WsGetAccountBalance) to my C# application only?

Currently my webservice requests username and password for the particular
account but that doesn't stop someone else from creating an app that also
uses that username and password. I just want my app to be able to use the
webservice.

I could hard-code an access string "H53TKJNERVROIJVNBNEFVNB4920525350" into
my app to match with the webservice but I don't know if that is attackable.
I am using HTTPS.

 

[Gregory A. Beamer]

One way is to set up X.509 certificates. If the cert is only issued to your
application, nobody can get in.

If this app is sent to clients, you will want to have some form of sign up
for the user to get their own certificate to hit the service. If internal,
you can determine if you need individual certs or not.

 

[Mark B]

I'm not sure I understand.

What I am trying to guard against is legitimate users (e.g. in the scenario
you mentioned, one's that downloaded my C# app and also 'signed-up' for
certificate) from using my app and then after a while deciding they'd write
their own app and use their valid credentials (and now certificate) to
access the webservice.