3

my app has registration form , its send data to the server via HTTP headers

aim looking for simplest way to secure my API to prevent registration URL injection by spammers

example if you go to http://website.com/register.php?name=bla&email=bla@bla.bla

the script will add new user automatically because there is no secret key or security token to prevent URL injection

any idea how to make security token in android ?

Noob
  • 2,857
  • 6
  • 33
  • 47

2 Answers2

4

There isn't much you can do, if some decompiles your code, he will find out the way you create your tokens and use that process to create fake tokens. Nevertheless, this will add one more level of protection since not everybody is familiar with decompiling and reverse engineering an app

You can't 100% secure your app from fake registrations since the users don't have any credentials that you can check. Fake registrations are not that bad since they cannot case too much damage to you.

You can limit the damage from fake registrations

  • delay every registration response z seconds
  • don't allow more than x registrations per min from the same ip
  • don't allow more than y registrations per min

What i would suggest is use https (http is plain text) to protect the app - server communication so no third party can get user data. This will encrypt urls along with headers and content so nobody will know what your app is sending and to which url. Only decompiling the app can beat that.

gtsouk
  • 5,208
  • 1
  • 28
  • 35
  • good idea , but if i have to switch to Https i have to change API http request and its will take more time , i think ill go to delay registration , thak u gtsouk – Noob May 03 '13 at 09:17
  • if you are using apache only a few configuration changes are required, no change in the server side code. in android the changes are minimal – gtsouk May 04 '13 at 17:52
1

I would use a hash and include that in the url.

For example,

http://example.com/register.php?name=bla&email=bla@bla.bla&hash=XXXX

Where the XXXX is a function of a seed and the name and email.

How to SHA1 hash a string in Android?

has information about how to do a SHA-1 hash.

Community
  • 1
  • 1
  • if some one crack the app he will know the registration url and ping it 1K per minute this will kill the sql on the server , i was thinking about this but its very bad idea , as @gtsouk said delaying registration is the best idea for now unless if someone share something useful thank u for sharing ur idea +1 – Noob May 03 '13 at 09:20
  • 1
    I wouldn't say that "it's a very bad idea." Having a security token is a good primary filter technique to ensure that *most* don't get into your system. @gtsouk's idea is also good, but I would couple the ideas together. :) –  May 04 '13 at 00:50