Android Question Restrict access to m app only

tufanv

tufanv

Expert
Licensed User
Longtime User
Hello,

My app is using a HTTP POST method to receive some information from mysql database via php file. According to suggestions in the past topics, I store the url in proccess_globals and obfuscate it also using https to hide the full url in case of sniffing.

My question is , lets say someone found the URL. Can you suggest a way to check in the php or someother place that if only the request maker is my app give respond else do not .

I think of sending the package name of app for example with the httpjob also but i is not a solution as anybody can send my package name with the request.

I would be happy to hear suggestions.

Thanks.
 
Sort by date Sort by votes
KMatle

KMatle

Expert
Licensed User
Longtime User
To protect a webservice it's a good option to use

- a login (userid/mail & pw) = every user of your app has to sign on
- strong encryption methods
- additionally parameters like IMEI (if available) or other keys to check if the caller is authorized
- two factor authorization (like login AND additionally send a code to the registered mail address
- tan lists (list is generated when the customer creates an account) which can be stored on the device as a ADDITIONAL check when you need a automatic solution
- check multiple logins (via IP and login tries, block ip's and or users -> send a mail that the user is blocked and some action is needed to activate the accoutn again)

URL:

Use (at least) two URL's:

- one for the login (which is included in the app's code)
- the others are coming from the server after login and are kept in memory :)

It's all about to store "nothing" in your app and retrieve "everything" from your server
 
Upvote 0
tufanv

tufanv

Expert
Licensed User
Longtime User
KMatle said:
To protect a webservice it's a good option to use

- a login (userid/mail & pw) = every user of your app has to sign on
- strong encryption methods
- additionally parameters like IMEI (if available) or other keys to check if the caller is authorized
- two factor authorization (like login AND additionally send a code to the registered mail address
- tan lists (list is generated when the customer creates an account) which can be stored on the device as a ADDITIONAL check when you need a automatic solution
- check multiple logins (via IP and login tries, block ip's and or users -> send a mail that the user is blocked and some action is needed to activate the accoutn again)

URL:

Use (at least) two URL's:

- one for the login (which is included in the app's code)
- the others are coming from the server after login and are kept in memory :)

It's all about to store "nothing" in your app and retrieve "everything" from your server
Click to expand...

Hello,

Thanks for answer but membership is not an option. This is a live finance app which shos latest currency data. Nobody registers for these services.
Anyone with the link to my php can retrieve latest data and use it for their own app. There must be another way obviosuly but i can't think any other.
 
Upvote 0
tufanv

tufanv

Expert
Licensed User
Longtime User
Erel said:
There is no simple solution for this.

You can add some protection by adding a parameter that changes every day and is calculated by your program.
Click to expand...
A friend of mine working in an app development company says that , you have to buy a ssl for your website,and create a certificate for your mobile app and embed it in your mobile app. Later if you just authorize that certificate, only the app with the certificate can pull the data.

I don't have any idea about these but if this is possible i will search the internet about it ?
 
Upvote 0
S

sorex

Expert
Licensed User
Longtime User
the problem with certificates is that is costs a lot for what it is and you are bound to periods so you'll need your users to install a new certifice every year or so.
 
Upvote 0
Jmu5667

Jmu5667

Well-Known Member
Licensed User
Longtime User
Maybe consider generating a daily key, let your app request the key from your HTTP service before the actual post, then make you HTTP post request with the key the app obtained. When the server receives the key, you can validate it server side and either process the HTTP request for deny it.
 
Upvote 0
tufanv

tufanv

Expert
Licensed User
Longtime User
Jmu5667 said:
Maybe consider generating a daily key, let your app request the key from your HTTP service before the actual post, then make you HTTP post request with the key the app obtained. When the server receives the key, you can validate it server side and either process the HTTP request for deny it.
Click to expand...
any app can request the key from http service , this is the problem. :/
 
Upvote 0
Jmu5667

Jmu5667

Well-Known Member
Licensed User
Longtime User
Fair point. Consider this.

1. App generates a pin code, 6 digits. The pin code is based on the current time.
2. You send the pin code in, allow 30 sec variation on the pin code.
3. If the pin code is within range allow the request to be process.
4. You can design your algorithm to generate the pin code, app name, imei etc.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

B
  • Question
Android Question Google Maps Platfrom Restrictions
Replies
12
Views
1K
bocker77
B
Cliff McKibbin
  • Article
Android Example Syncing local databases using PHP to access a database on a hosted server
Replies
1
Views
4K
thetrueman
T
agraham
  • Article
B4A Class Manage External Storage - access internal external storage >= SDK 30
Replies
19
Views
17K
agraham
agraham
Erel
  • Locked
  • Article
B4A Class ExternalStorage - Access SD cards and USB sticks
2
Replies
21
Views
40K
Erel
Erel
robotop
  • Question
Android Question FileDialog restricted access
Replies
2
Views
2K
robotop
robotop
Top