How to make a public web service API private?
As a starting point you could disable the WSDL publication. This way only clients that already have generated a proxy will be able to discover and use the web service. Of course the service would still be public and anyone who knows how to properly format a SOAP request would be able to call it. A second step would consist in introducing security (private keys, HTTPS, client certificates, etc...) so that only trusted clients could consume the service.
First suggest is OK, stop WSDL publication, if you use this at all.
But basically you have to implement autentication/authorization mechanism for you application. There should be login method, that
- check credentials - login/password
- check http request agent settings - if it is mobile device
if two requirements match you authorize this request (by cookie for instance), or return authorization token, which will be input for all API method. If token is OK, API method work.. not - it return 404, for instance.