4

I have a PHP file that queries my database and then returns information in XML format back to my application. Right now, if I just go to the URL in the browser and put in the proper parameters in the URL, the information is shown right to me. Is there a way that I can make the PHP page ONLY accessible through the application(iOS and Android)? I have searched, and the only thing that I can find is making the page only accessible through includes, but I don't see how this would restrict the access if the person figured out the php page that included the file. Any suggestions are appreciated!

Thanks

Matthew Ebert
  • 125
  • 1
  • 7
  • Why don't you just add check at the start of the php file for that? http://code.google.com/p/php-mobile-detect/ – Peon Mar 13 '13 at 13:51
  • might be able to use the user-agent attribute but that could easily be spoofed – Mike M Mar 13 '13 at 13:52
  • 1
    @X.L.Ant — No. The question is about restricting to specific clients, not to other, local, PHP scripts. – Quentin Mar 13 '13 at 13:53
  • Oops, my bad. No unclose option ? :/ – xlecoustillier Mar 13 '13 at 13:55
  • I don't understand how I would check for that? Since Android apps can be stripped down to their code, that would make any sort of password check invalid. Plus, I don't see how if I restricted access to the file like in the "possible duplicate" that it would be able to access it in the applications. – Matthew Ebert Mar 13 '13 at 13:55
  • You should just use some sort of hash security, effectively a password that must be provided in order for the script to run, only provide this password when accessing through your client side program. – EM-Creations Mar 13 '13 at 13:59
  • @MattEbert94 - how did you manage this situation? I too am looking to lock down my PHP API so that ONLY my mobile app can access it via HTTPS. I was trying to manipulate .htaccess to include the app widget ID "com.myappname" or something, but to my knowledge "Allow from com.myappname" won't work, it would have to be a real domain like "myappname.com". – rolinger Feb 11 '17 at 14:05

3 Answers3

1

Almost any restriction you put on it will essentially come down to "Put something in the request that only the application will send".

The basic approach would be "Keep the URL secret". If only the application knows about it, then only the application can make a request to it. Anything else (passwords, API keys, custom HTTP headers, user-agent sniffing, etc) is just complexity around the same concept.

Making the request over HTTPS instead of HTTP will protect the secret from exposure to sniffing.

Nothing can save you from decompilation though.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Any one can listen to app network requests and get the link, also they can use "Man in the middle" technique to get sent parameters even if https protocol is used. – Husam Apr 21 '17 at 17:12
0

You could add a custom http header in your client request inside your app with a challenge code. Your script detects the header and verifies the challenge. If the verification is passed, you execute the script, otherwise you return a 403 Forbidden.

Ghigo
  • 2,312
  • 1
  • 18
  • 19
0

Rather not. In fact everyone can insert false data in his browser information and you wouldn't find out if this is Microsoft Internet Explorer on Windows 95 or Chrome on Android phone.

You may try to block by IP number, but this is not blocking application, but the user.

The only idea I have is to use some user/password login things, which only your application would know, but it has its own security holes (like man-in-the-middle).

Voitcus
  • 4,463
  • 4
  • 24
  • 40