Android : Maintain persistent login without using SSL encryption for every web service call

First, my sincere apologies for asking a newbie security question. This is my first real foray in the world of online security and I'm kind of lost.

I am in the process of developing an Android app and an accompanying website which both require the users to login to be able to use the services my web servers provide. The services are all written in a session-less fashion, meaning authenticated requests (request requiring user credentials) all need to provide their accompanying security tokens to function and that every authenticated request first has to validate user's credentials.

How I've developed such an architecture is to have the users login using email and password. This information is sent to an authentication server via SSL and an authentication token (an independent hash to the password hash) is provided. This token is then stored on the client (cookies for website and private shared preferences in android). For all future calls, unless the user logs out, this token is valid and can be used to authenticate the user. Each device (different Android devices or web clients) also get their own independent token so that the authentication token is a pair of hashed token + device id.

In addition, I would like to avoid using SSL for every authenticated call. Ideally I would like only the initial authentication (with the email/password) to be encrypted and the rest of the calls to go via HTTP using the authentication token that was obtained when the user signed in. My reason for this avoidance is the triple handshake cost and that maintaining persistent or long lived connections are not preferred.

Not using SSL however leaves me open to a man-in-the-middle attack (MIM). If anyone intercepts the calls and gets a hold of the [device id + authentication token], for all intents and purposes, they will be able to impersonate the user and have access to everything the user can access until the user logs out, at which point the token will be invalidated.

I know my implementation doesn't handle MIM attacks so I was wondering if you could suggest another way to implement this that doesn't include SSL for each and every call and yet avoids MIM attacks.

In short, my requirements are:

• Do not maintain sessions on the server


• Use SSL only for initial login (email/password pair)


• Do not use SSL for subsequent calls that provide authentication token and device id


• Somehow avoid MIM attacks if possible (this is the real requirement)

Is it at all possible to have all 4 of these requirements together? Can I avoid using SSL connections and still maintain secure, session-less servers? Where am I going wrong with my implementation and how can I avoid issues with MIM attacks?

Many thanks in advance and apologies if this is a duplicate. I couldn't find the answer anywhere. Perhaps I was searching the wrong thing. If so, please let me know and I'll close/remove the question.