1

After having read a lot of topics, and questions on stackoverflow about how to access external databases (MySQL) through an Android app, my question is : How to make sure that only MY app will be able to retrieve data from that DB? It's all about security.

In order to access that DB, I intend to make a little PHP file on my server that will be used as an interface between my app and my DB. But, if anybody can see the URL used, then he will also be able to interact with my DB. So, how can I prevent that?

Thank you.

Romain Pellerin
  • 2,470
  • 3
  • 27
  • 36

2 Answers2

3

First of All I would recommend You to use HTTPS transfer protocol to be honest even self-signed certificate secured with secret (having special signs etc.) is a good protection.

Then You create web service on your server which validate this certificate (make sure you don't hard code certificate secret) and voila.

EDIT

Assuming You are talking about android I will provide You with keytool tutorial Here. I assume also that You are aware that You have to create custom HTTPS handler in order to put certificate in the request if You don't knew how to do it I can post it as soon as I came to home (I have my project on my private computer). Part with server-side certificate validation is Here

Community
  • 1
  • 1
Mithrand1r
  • 2,313
  • 9
  • 37
  • 76
  • Thanks for your help. Yes of course for HTTPS. Could you provide me a link/tutorial about serverside certificate validation please? What do you mean by "certificate secured with secret"? – Romain Pellerin May 13 '13 at 09:53
  • I mean that there are two types of certificates, 1. for the server validation (there is no need for providing any kind of additional information. Fact of being in possession of certificate signed by trusted entity is enough) 2. for the client (certificate which authenticate that client using the certificate is a client who is authorized to do so. And this is done by entering correct password which decrypt the private key) I will edit my answer to post some links – Mithrand1r May 13 '13 at 10:13
  • Thank you again. So, I need to create a self signed certificate using keytool, and then check the certificate. Yes please could you share some of your code? – Romain Pellerin May 13 '13 at 16:57
0

If your attacker is well motivated, then you can't restrict access to your database via your external API to only your app.

You can make it harder (for example by using a secret stored in your app which an attacker would have to extract; obfuscating your app; using Google's Play services; etc) and you can create deterrents (licencing that restricts use of your API), but fundamentally you need to be prepared for others to be able to send requests to your API that look like they came from your app.

What combination of methods are appropriate will depend on what the consequences of third party access are for you.

Twitter is an interesting case study in using licencing to control third party access to their API. There's nothing stopping someone creating a client that pretends to be the official client except the deterrent that if they get big enough for twitter to notice, they will come after them through legal channels.

Michael
  • 955
  • 4
  • 12
  • And what about Google Cloud Messaging? Would it be adapted to my case? – Romain Pellerin May 22 '13 at 17:42
  • GCM is now a part of Google Play Services, and is the same story - GCM will attempt to deliver messages to the identified app, but someone could run an app on a rooted phone that pretended to be your app. – Michael May 22 '13 at 18:48
  • Hum OK. So I'll search the best way to protect my API regarding your advice. Thank you for your help. I'll let you how I'll do. – Romain Pellerin May 22 '13 at 22:54