We wanted to use cloud backend for storing Android app data.
Our backend RDBMS is famous MySQL server which comes with MySQL Connector/J (an Official MySQL Network JDBC Adapter which can connect to remote MySQL database).
Now the problem is we cannot use this MySQL Connector/J in Android as its not developed for android. So what we did is, we created a REST class with four rest methods /query, /insert, /update, /delete. All these methods takes JSON Object which is wrapping parameters of respective Android ContentProvider methods. /query rest method returns a tabular resultset data in JSON format.
Then we wrote Android ContentProvider which is acting as a proxy to call our above rest methods. ContentProvider.query() method calls /query rest method and converts the received resultset JSON into Cursor for returning it.
With this architecture our server code become generic without having any business logic. And our Android app is unaware of whether the data is coming from cloud server or local database. Practically all this is working fine.
So the question is how much secure this architecture is? from the hacking point of view. And what will be the impact on Android App performance? Please help us with your valuable comments/answers.
You not should connect directly from Android app to Database (MySQL), it will give you not good performance.
I recommend for you buid Webservice API which will connect to Database and fetch, hence from Android app connect and fetch data from Webservice.
I hope this helpful for you.
Anybody can decompile your code, find this service and if he breaks your service security he can do nasty things with your database. He can browse your database, steal data, corrup data .. Crackers are searching for SQL injection on web - and you are providing direct database access.
Do not do that. Create a service for each use case that will validate/escape parameters and then call prepared JDBC statement.
Related
I'm developing a desktop application in JavaFX with login system and some data that must be saved in a remote database. The question is: What it's the best way to stablish a database connection with each user with the server? Should I use a RESTful API or connect to database using the remote host just like if it was a local DB?
What kind of data are you looking to manipulate? Depending on exactly how much control you may need over the information (and how secure it must be?) if you don't need an absolutely synchronized view of the information (re: the server side app having a persistent connection to the client which is informed on change events and such) it may be best to just build up a RESTful API to do all of your grunt work between the two.
If you're coming to the RESTful api and also have to design it I suggest giving this a good read. Best Practices for a Pragmatic RESTful API
New to android programming and want to save basic student information in a database. What is the easiest and simplest way to store this data so it can be accessed by multiple devices remotely at any time? I know that android supports sqlite but this seems to be only locally on one device. Any ideas or suggestions?Eventually want to publish application on google play and want users to be able to see students names in their class for each class.
If you're not interested in setting up and maintaining a remote server, Firebase is fast, free to get started, and operates in realtime:
https://firebase.google.com/docs/database/
It seems you've answered your own question :) Place your relational database, such as MySQL, on a remote server. Create an API that performs CRUD operations on the database tables.
Then issue requests to the API in your android app: https://developer.android.com/training/volley/index.html
Yea you basically answered your own, I highly recommend using retrofit2 for android for http requests.You’ll use annotations to describe HTTP requests, URL parameter replacement and query parameter support is integrated by default. Additionally, it provides functionality for custom headers, multipart request body, file uploads and downloads, mocking responses and much more.
Here is great link to get started on your way to happy life:)
Ideally you would want to create your server to handle request and give responses, and android client for those request, if you are going the custom route you probably want a node.js server, or php server. You can even use socket.io to spice things up for real time communication, or maybe some notification system from firebase. Firebase is awesome, it handle all the aforementioned.
For the database portion if you decide not to use Firebase, please do not Raw SQLite you will have nightmares, use something like Realm it is NoSQL ,fast and easy to perform database transactions.
I'm trying to implement Microsoft Azure's db as my mobile app backend. I'm having a hard time finding comprehensive documentation. I do see that I can query a table this way:
mToDoTable.where().year("due").eq(2013).and().startsWith("text", "PRI0")
What I'd like to do is twofold:
create complex joins on tables or
send a parameter to a View or stored procedure that implements the complex join on the server side.
But I can't figure out how to do either.
There's a .parameter() method, but no indication of how I can catch that on the server to do anything useful.
I was looking in the wrong place. It may be possible to directly query the SQL database, but that involves bypassing a lot of security and isn't really what I wanted.
The answer I found was that after setting up the database (and views and stored procs) in the SQL databse section of Azure, go to the Mobile Services section and create new APIs that run javascript and can run any sql, including query parameters.
I found this link very helpful: http://tapanila.net/windows-azure-mobile-services-custom-api-for-existing-sql-database/
I'm developing an app for Android which needs data of my server. My doubt is:
Is it safe to make a query from android to mysql?
Because... I was thinking to obtain a JSON with a PHP file, but I believe this is slower method. So, now i'm trying to make a query to mysql server without any PHP file, putting the password and the user of data base in the android project.
I need to know if someone could decompile my app and see my credentials in java files.
Are there other methods?
More than "safe", there's not a native way to send data from Android to a MySQL server. The correct way is implementing a web-service that receives the query (for instance, via HTTP POST), then handles it, connects to the local (or remote) database and executes the requested query (and possibly returns the result if needed).
As far as security goes, this seems to be a totally different question, but in this kind of architecture it seems that a Asymmetric encryption algorithm is what best fits this kind of transactions, as you can hardcode/download each time you need the public key for encrypting messages and they'll be only decrypted by the server side using the private key.
Hardcoding credentials into your app is pretty much a bad idea, because if someone who has some knowledge about this subject, will try crack you app, and if your app manages some financial sensitive data, they actually will try triplify efforts.
How to securely share key between two remote devices?
How dangerous might be publishing a public key?
You should be aware that people can always get the db user and password from the application. This allows them to login and drop your tables in the database.
Therefore creating a small web service that will do it for you gives you more security, since you can decide what operations is allowed to perform to the database.
Using a RESTful (in your case)PHP framework is the way to go. You can then use data from JSON or XML in your application. This way is definitely not slower. You can use this framework:
http://www.slimframework.com/
Or whatever your are using right now.
I am looking for some guideance in terms of what database to use server(using servlets) side of my android application.
Further down the line i will setup a website that will need to access the information from with the database.
At the moment from what i know i can use hibernate for object mapping to RDBMS or i can use JDBC for interaction with a MySql Database.
Do you guys have any best practices for using either the above or a different system for interaction between servlet and database?
If you are looking to get started quickly, you could use AppInventor, but if you want to build a backend yourself I suggest Ruby on Rails(get ubuntu if you don't have it!). Its easy to learn, easy to install, and very user-friendly.
The server and database will be handled by the Ruby on Rails framework.
Android application just acts as a client that makes request and accepts response from a Server. Server could be written using Servelets / JSP, ASP or PHP. As far as I know it doesn't matter to android client which database server is used at the server side as far as client is getting the response from the server.