Android Question Best way to protect your app?

ilan · May 8, 2023

hi

i developed many apps until today that makes get request to a mysql db on a shared hosting and i realized that many times the data on my sql db does not comes from my app.
for example i have a score system that gives the user points by step 5 like for each correct answer 5 points so the number on my db must be divided by 5 but i can find scoring like 99999999 or really weird numbers so the only explanation is that people hack the db. and the funny thing is that it is super easy to do.
all you need to do is download the apk open with 7zip and go to classes.dex and start search for url, table name,... you can find it very easily and then use any browser and put the correct url to upload data to the DB.

so my question how can i make my app more secure?

thanx

aeric · May 8, 2023

Do you put the URL variable in Process_Globals sub and compile with Obfuscation?
But now the URL is known, you need to implement different ways.

Why doesn't the app send the count of correct answers and make the calculation of points in server? If maximum question is 10, then 9999... is not valid and must be rejected. You can validate the value posted by app first before updating the database in server.

Another easier way to stop value from web browser is using Post method instead of Get. Unless the user use software like Postman.

You can also implement other security measure such as API key and Tokens.

I believe you are also keeping track of the user id who make the updates. Ban these users.

ilan · May 8, 2023

thanks for the reply @aeric

aeric said:
Do you put the URL variable in Process_Globals sub and compile with Obfuscation?

i never compile in Obfuscation mode

aeric said:
Why doesn't the app send the count of correct answers and make the calculation of points in server? If maximum question is 10, then 9999... is not valid and must be rejected. You can validate the value posted by app first before updating the database in server.

it was just an example but the question is how can i prevent the user read the url and endpoints of my sql db that can be found with minimal effort in my apk code.

aeric said:
Another easier way to stop value from web browser is using Post method instead of Get. Unless the user use software like Postman.

as you already mention it is very simple to perform a post request using postman or any other free app.

aeric said:
You can also implement other security measure such as API key and Tokens.

token will not prevent the user to hack the db. he can sign and use his token and perform a post request from outside the app using fake values.

aeric said:
I believe you are also keeping track of the user id who make the updates. Ban these users.

no i dont, i think it would take to much effort to start hunting those users it would make more sense to put that effort make my app more secure.

the real question is how can i hide or encrypt my api endpoints inside my app so they are not readable. if i would use my own server application i would have much more control but because it is a shared hosting and i have to use php to communicate with the mysql db i need to find a way to keep my endpoints adresses encrypted inside my app.

Alexander Stolte · May 8, 2023

ilan said:
but the question is how can i prevent the user read the url and endpoints of my sql db that can be found with minimal effort in my apk code.

aeric said:
put the URL variable in Process_Globals sub and compile with Obfuscation

your answer

ilan · May 8, 2023

Alexander Stolte said:
your answer

will try thanx

aeric · May 8, 2023

aeric said:
But now the URL is known, you need to implement different ways.

If I am you, at this point started not to trust (some) of the users, who are going to cheat, I will not accept the point evaluated in the app, instead the app will send the answer which are not yet evaluated to the server to have them verified.

I can use the app to send the answers chosen by the users in a list (by JSON).
The server is the checker.
So the points are calculated in the backend, the user cannot manipulate the points.

aeric · May 8, 2023

The JSON can be look like this:

JSON:

{
    "user_id": 101,
    "topic": 1,
    "answers":
    [
        {
            "1": "a"
        },
        {
            "2": "d"
        },
        {
            "3": "c"
        },
        {
            "4": "b"
        },
        {
            "5": "a"
        }
    ]
}

ilan · May 8, 2023

aeric said:
If I am you, at this point started not to trust (some) of the users, who are going to cheat, I will not accept the point evaluated in the app, instead the app will send the answer which are not yet evaluated to the server to have them verified.

I can use the app to send the answers chosen by the users in a list (by JSON).
The server is the checker.
So the points are calculated in the backend, the user cannot manipulate the points.

thanks @aeric but it was just an example. i have different db manipulations in different apps so the real question is how to hide or encrypt the endpoints from inside the app and i will try to use the Obfuscation mode

Addo · May 8, 2023

Encryption would hardened the process of manipulation, It won't prevent it but it will make it harder.

ilan · May 8, 2023

Addo said:
Encryption would hardened the process of manipulation, It won't prevent it but it will make it harder.

that should be enough for most cases. i don't think that i am dealing with hackers from governments. it is more like kids that are a little bit board, so they wont invest to much time and effort to find the key to encrypt the data.

mcqueccu · May 8, 2023

The best way as Aeric pointed out is to make sure you do all checks and validation on the server (backend). Even with encryption of endpoint and obfuscation in the app, the url and its payload can still be intercepted through MITM attack.

ilan · May 9, 2023

mcqueccu said:
The best way as Aeric pointed out is to make sure you do all checks and validation on the server (backend). Even with encryption of endpoint and obfuscation in the app, the url and its payload can still be intercepted through MITM attack.

yes i agree with that but as i mentioned in my first post this is a hosting server and i only run there a mysql db i cannot run applications and this is why i am using php to connect with the db. so what you are suggesting is doing all checks in the php file but since i am very weak in php i will not put to much effort on it. i think the best way to go is as aeric mentioned putting all endpoints urls in process global and compile in Obfuscation mode.
thanx

aeric · May 9, 2023

ilan said:
yes i agree with that but as i mentioned in my first post this is a hosting server and i only run there a mysql db i cannot run applications and this is why i am using php to connect with the db. so what you are suggesting is doing all checks in the php file but since i am very weak in php i will not put to much effort on it. i think the best way to go is as aeric mentioned putting all endpoints urls in process global and compile in Obfuscation mode.
thanx

At the same time, learn PHP too

watesoft · May 9, 2023

ilan said:
hi

i developed many apps until today that makes get request to a mysql db on a shared hosting and i realized that many times the data on my sql db does not comes from my app.
for example i have a score system that gives the user points by step 5 like for each correct answer 5 points so the number on my db must be divided by 5 but i can find scoring like 99999999 or really weird numbers so the only explanation is that people hack the db. and the funny thing is that it is super easy to do.
all you need to do is download the apk open with 7zip and go to classes.dex and start search for url, table name,... you can find it very easily and then use any browser and put the correct url to upload data to the DB.

so my question how can i make my app more secure?

thanx

There should be a lot of app protected companies online. I'm from China, at least on Chinese websites. If it's not a special request, use their free version,it should prevent normal cracking.

mcqueccu · May 9, 2023

aeric said:
At the same time, learn PHP too

One thing that takes my time is server side coding using PHP. It sometimes takes weeks to months for me to complete as I still consider myself a beginner.

With ChatGPT I was able to setup a full app, with several codes in an hour. ChatGPT codes PHP excellently. I will rate it 100%.

Example: Assuming you need to create Registration system

Prompt: Create a registration system using PHP. I will receive input by POST method. The inputs are firstname, lastname, username, password. The inputs should be inserted into this table: tblUsers
--Code Generated--
Prompt: Modify the code,check if username already exist, if it exist, return a json with status error, and message, username already exist.
--Code Generated--

**And you can always continue to modify and it will keep adding and recreating the login for you....**

aeric · May 9, 2023

mcqueccu said:
One thing that takes my time is server side coding using PHP. It sometimes takes weeks to months for me to complete as I still consider myself a beginner.

With ChatGPT I was able to setup a full app, with several codes in an hour. ChatGPT codes PHP excellently. I will rate it 100%.

Example: Assuming you need to create Registration system

Prompt: Create a registration system using PHP. I will receive input by POST method. The inputs are firstname, lastname, username, password. The inputs should be inserted into this table: tblUsers
--Code Generated--
Prompt: Modify the code,check if username already exist, if it exist, return a json with status error, and message, username already exist.
--Code Generated--

**And you can always continue to modify and it will keep adding and recreating the login for you....**

PHP is simple if using a simple MVC framework.

I just shared my PHP Quiz app here:

JQuiz - API Server for B4XQuiz

This is the full source code for B4XQuiz server. SQL script to generate database in post #2 For B4XQuiz client app, please check: https://www.b4x.com/android/forum/threads/b4jquiz-desktop-app.124202/ Update It is now easier to create Web API Server using B4X Template Check...

www.b4x.com

RickV · May 9, 2023

I always write a server app with propritry protocol for data transfer, the apps themselves are just dumb terminals that request info and respond with updated info. The db server is always protected in this case behind firewalls. Server app handles authentication of user or device or both.

Addo · May 9, 2023

ilan said:
yes i agree with that but as i mentioned in my first post this is a hosting server and i only run there a mysql db i cannot run applications and this is why i am using php to connect with the db. so what you are suggesting is doing all checks in the php file but since i am very weak in php i will not put to much effort on it. i think the best way to go is as aeric mentioned putting all endpoints urls in process global and compile in Obfuscation mode.
thanx

Endpoint Url can be captured using a packet capture. Doing everything in the server side is the best option as other replies suggested

udg · May 12, 2023

Hi @ilan, if I understand it correctly, your app "talks" to some PHP code on the shared server where the DB is also residing.
Currently messages from app contain the endpoints needed to perform DB-related operations òike recording a score.
What if you don't transmit the endpoint at all?
I mean, your message would contain a "parameter" that the PHP code would interpret and convert to the required endpoint for that specific function.
Something like:
parameter 123
new score: 145
At this point your PHP substitutes the real endpint for the 123 above. You could even encrypt the packet (param+score). This wil be more challenging for the kids if what they do is just sniffing at packets.
BTW, if you want to be more "extravagant" you could automatically change the parameter (123 above) based on some algorythm burned in your app (e.g. something that depends on current date). At that point, one has to decomplìile the app..

Alex_197 · May 13, 2023

ilan said:
thanks for the reply @aeric

i never compile in Obfuscation mode

it was just an example but the question is how can i prevent the user read the url and endpoints of my sql db that can be found with minimal effort in my apk code.

as you already mention it is very simple to perform a post request using postman or any other free app.

token will not prevent the user to hack the db. he can sign and use his token and perform a post request from outside the app using fake values.

no i dont, i think it would take to much effort to start hunting those users it would make more sense to put that effort make my app more secure.

the real question is how can i hide or encrypt my api endpoints inside my app so they are not readable. if i would use my own server application i would have much more control but because it is a shared hosting and i have to use php to communicate with the mysql db i need to find a way to keep my endpoints adresses encrypted inside my app.

you can add a encrypted device id to your url. then decrypt it in the server and check it against your database. Also you can add encrypted username or userid.

Android Question Best way to protect your app?

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Well-Known Member

Expert

Well-Known Member

Expert

Expert

Active Member

Well-Known Member

Expert

Member

Well-Known Member

Expert

Well-Known Member

Similar Threads

Privacy & Transparency

Privacy & Transparency