0

i have built a web app on Cakephp ..i am sending data from android to webapp through HttpPost in a json object .. what i am doing write now is i write a url in httpPost like this 

     HttpPost post = new HttpPost("https://www.myweb.coom/test");

and in cakephp i am retrieving a data by checking that whether it is a post request or not

 if ($this->request->isPost()){}

but the problem is how can i check whether the request is coming from my android app not somebody else because at this time if someone knows the url he can inject something into my db or will do something else..and by the way i am using https.. and there were some people saying that you dont need to do any think else as you are already using https.. but i am not feeling satisfied .. and also tell should i have to encrypt the data while sending from android and the decrypt it by key .. ? and if i should and then please tell me how can i do this

hellosheikh
  • 2,929
  • 8
  • 49
  • 115
  • how "good" do you want your security to be? https is there to prevent data snooping while in transit and verify that the server you're talking to is indeed the correct server. but there's no way to tell if someone's sending a faked POST v.s. one from your app. You can add various things to make it harder, but making it 100% impossible to fake a message from your app is 100% impossible. – Marc B Jun 24 '13 at 16:46
  • okk thankyou ... but is it there other ways to make it even better .. actually i am registering a user through an android app and then sending to a webapp .. so i dont want to anyone to hack the pw .. because pw is comming from android is not encrypted .i after receve the data and then i encrpt it and save to the database – hellosheikh Jun 24 '13 at 16:52

1 Answers1

0

Essentially, what you are creating with CakePHP is an API, or web service. What you want to do is secure the API so only you (or people who you choose) can execute requests.

To do this, you'll need some form of authentication. One way of doing this is using Oauth (http://oauth.net/). A simpler way would be to just have a secret 'token' as an additional POST parameter for each request.

e.g. in plain PHP:

$token = clean_string($_POST['API_token']);
if($token!=MY_API_TOKEN){
    echo "Sorry, you must be authorized to use this API!";
}

You mentioned that you are using HTTPS- that is great, but it only prevents against snooping, IP spoofing, and issues of a similar sort.

element119
  • 7,475
  • 8
  • 51
  • 74
  • thankyou.. i think this is exactly what i wanted because when i typed the url in browser (the url which i use in httpPost) .. it doesnt do anythink neither i can show the error .. so i think your solution is exactly what was i needed .. thankyou.. tomorrow i will test your solution and inform you about the output – hellosheikh Jun 24 '13 at 17:00
  • how can i add additional parameter into httppost in android .. is it like this HttpPost post = new HttpPost("https://www.myweb.coom/test",000111222); – hellosheikh Jun 24 '13 at 17:05
  • please tell me in step by step how oauth can be used between cakephp and android .. – hellosheikh Jun 24 '13 at 17:18
  • @hellosheikh This question (http://stackoverflow.com/questions/3288823/how-to-add-parameters-in-android-http-post) explains how to add parameters to HttpPost – element119 Jun 24 '13 at 17:23
  • In terms of oauth, I'd do some Googling to find out how you'd like to implement auth on CakePHP/Android, there are tons of examples. – element119 Jun 24 '13 at 17:24
  • @hellosheikh make sure your token is private! Becase, if I know the token, what is the point of having that token after all? Have a look at [this](http://stackoverflow.com/a/11422866/1110760) answer as well. It might help you in some way. – Jelmer Jun 24 '13 at 17:50
  • @autibyte..thankyou but i find only this example from google .. but i dont know how can i customize this into my requirments ..i mean dont know to add this into my function after getting the data from android – hellosheikh Jun 24 '13 at 18:14