2

I want to start with a new project for Android and therefore I need a centralized database. As it is very easy to decompile java and get the database connection. For my project I need read/write access.

My idea was to create an API with php and query the websites from Android.

The problem I see it, that if someone knows the url of the API he can modify the database...

So my question is, how I can protect my php based API from unauthorized access?

glethien
  • 2,440
  • 2
  • 26
  • 36
  • 1
    Possible duplicate of [Web API Security](http://stackoverflow.com/questions/2066107/web-api-security) – Adi Jul 01 '12 at 18:55

2 Answers2

3

Look into request signing, or a pre-existing platform like oAuth.

Lusitanian
  • 11,012
  • 1
  • 41
  • 38
1

You can provide protections like OAuth or HTTP Signing wich is the easiest way but HTTP Signing is not really good here because it's too simple.

You can also use a private key known by the device like something hard coded in your app. But if someone find this password your protection is over.

You can also check the HTTP header to disable some User Agent but it can be change by the "hacker".

Gp2mv3
  • 1,435
  • 20
  • 33