Android Question Know if your app is the genuine caller of php-, remoteSql or another?

[KMatle]

Hi guys,

is there a way to secure that your app is the only allowed caller of a php script or other procedures?

Situation: You hav an app which calls a php script on your server. One could disassemble your app and know the calls you are doing. After that he builds another app with the same calls.

I know how to make a login workflow which is very secure but I have no idea how to be sure that the sender is my app and not another.

Can the sign key be used to check this? Any other ideas?

 

[LucaMs]

I think you have the right idea, the sign key, what else?

 

[KMatle]

Did not find any threads here. Any example to get the key (plus x) by code to use it for authentification?

 

[Douglas Farias]

why dont send a key to your php
if key is correct allow user or no, on the app can you make a cript for this key

    Sub ExecuteRemoteQuery(query As String, JobName As String)
        Dim jobs As HttpJob
        jobs.Initialize(JobName, Me)
        jobs.PostString("http://www.lalala.com.br/query.php?pass=sadmwoidqwmeoije@#!@#!@#@", query)
    End Sub

    Sub checkemail
    ExecuteRemoteQuery("SELECT * FROM usuarios"  , resultjob)
    End Sub

you can make a hash of this key or cript
can you use
http://www.b4x.com/android/forum/th...efficient-key-value-data-store.26317/#content

for put your pass
PutEncyptedObject
GetEncryptedObject

 

[KMatle]

I could disassemble your app, extract the queries (or calls against xyz), put them in an own app and you are in big trouble As I said, I know how to manage users (login/registration). Then I can check in f.e. my php script if the user is logged in in every query. That should be save.

But: How do I check if the sender (I mean the app - not the user) if it's MY APP and not another. Stored passwords in the code won't help.

Maybe the sign key may be used to check (because It is crypted with a password). If yes, how can this be done?