There is a REST-based webservice that has no authentication or authorization whatsoever - anyone that knows an URL of a particular method of this webservice can use it.
However, the URLs of methods are not exposed to public (for example, there is no public documentation that would enumerate API methods, or anything like that). Only place the webservice is being accessed from is an Android application that, obviously, needs to know the URLs to use the webservice (they are hardcoded in it). The app is not published in any public app stores and it's only distributed internally.
Is there a way for a potential attacker to access the webservice outside of the Android app? Of course, one obvious way would be to somehow get hold of the app, decompile it and find out what are the URLs; are there any other, realistic ways except that?
The webservice in question really exists. Right now, I have only a feeling that the whole setup is a recipe for disaster - I need some particular examples to be able to convince my boss that we really need to improve the situation somehow.
Aucun commentaire:
Enregistrer un commentaire