I have developed Restful Web-Service which returns jsonp objects. I am using this Web-Service in a Java (and sometimes in javascript for hybrid app) android app. Problem is anyone can access this Web-Service I have implemented. (So anyone can create an app and use my data). I want to make it secure by some kind of authentication. Please help me with some solution to secure Web-Service. maybe you suggest me I must use an user name and password like this:
http://www.example.com/jsonp.jsonp?username="test"&password="test"
you know any one can extract apk file and see it.
or maybe you suggest me check package name of app in remote server before allow.
but anyone can create same pakage-name and use that data...
In brief, How can a remote server trust an android app?
EDIT: language of server:php
Related
I had a problem generating client_web_id using the Google Login API and I researched it. What I found was to manually create a tag in strings.xml with the name default_web_client_id indicating the Web Client ID. Is it safe to put this information exposed be it in an XML or in a class? Is it dangerous someone discovered the web client id?
On the firebase, I noticed that there is two login configuration information: which are Web Client ID and the Password. Only the Web Client ID is in my source code.
Yes, it is safe to put the web client ID in your code. You can put it anywhere in your Android source actually. Because, if someone wants to get the web client id from your code, it can be done decompiling your APK file and accessing the class objects or strings.xml files.
If you do not have your web client password in your source code, then I think this is fine.
I have android app, that makes http request to get files on my server,
I had to migrate all my data to new server, but i still see many get requests on old server, which mean someone stole my links, or my app it self.
I'm currently using NGINX (I can change to Apache) to serve these files,
My question: Is there a way to allow accessing these files from only a single mobile app, based on package name for example ?
Currently, I'm serving files as hot link, example : www.xxx.com/abc.mp4
I read about setting a new user-agent in requests, so that i can allow/deny access based on that value, but if someone tries to reverse engineering my app and re-build it, he can use same user-agent.
So, Please advise if there is an optimal or better solution.
Thanks,
You could disable direct file access and expose some services that send files in their response. By this way you could add some logic to protect your files. I don't know if your app uses some authentication process, you may add some certificate or something else
I've write a google web-services based on java to encrypt and decrypt messages, just wondering if I deploy this project to app engine, how can I make sure my java classes are safely at the server side? Because there are secret keys inside code.
Do I need add some identification steps before can use the web-services?
It's as secure as any other hosted service - trusted people (Google admins) have access to servers and your compiled code. If you are not OK with that, you should run your own servers.
You may want to disable code download, in case your google account gets compromised.
Also, access to your Google account is an attack vector to get to AppEngine admin access, so make sure anybody with developer access to your GAE app has two-step authentication enabled.
Im developing a little serverside api to use with a java client (which i wrote too).
The api is written with jersey (RESTful) und running on a tomcat server. The data it provides is passed to the client as Json-String and all communication is performed via Http.
I now want to ensure that only my own client programm is able to access the api (At the moment, as its http, everyone could receive the json data via an ordinary browser). Therefor, im looking for a way to "identify" my clientside programm to the api with a key or something like that. I first thought about using the user-agent for identification, but this could easily be copied. So i need some kind of key which changes dynamically or something like that.
Whats a good way to do that?
I searched in the net but didnt find a proper answer (maybe wrong keywords?), so im happy for every hint and/or link about that topic.
Edit: The client side programm is an android app. I want to make sure noone is creating a similar app and use my server for his purpose.
If the attacker has a the client in his possession, there's almost no security that can't eventually be compromised.
A good start, that's fairly out of box is bi-directional SSL authentication (Client and Server certificates). This is supported out of the box and requires little code changes.
i am working on a app which should take data from a database on a server. it is a ms sql database. i need some help like little code hints or some useful information.
thank you!
1) Create some ASP, JSP, PHP pages which recieve some parameters and will operate over the database (for example: create page authenticate which will accept username and password parameters and will return true or false, to make it more simple)
2) On your Android application, you should use for example HttpClient to make request to authenticate page you have created(if you have a public domain if you you don't, you can install web server on your machine, connect your Android to USB port and access your webpage using following IP: 10.0.2.2)
This is was just a simple example when your responce will containt only true or false. I would advice you also to give a look at JSON or XML parsing libraries. So on web server you should return your data encoding it with JSON or XML(sure you can also create your own protocol, everythin is up to you) and on Android you should parse it using JSON or XML parsing libs.
ALTERNATIVE
1) Create web service and call web service from Android
Give a look at some tutorials like:
http://lukencode.com/2010/04/27/calling-web-services-in-android-using-httpclient/
http://kindohm.com/post/1097012742/androidhttpclientjson.html
Google more if it's still will be unclear for you.
Good luck ;)
Create scripts on your server to communicate between the database and your app, php scripts may be? Or if you are comfortable with SOAP/ASP.NET?