3

I have an android application. The application reads data from my server and displays them to the user.

Now, the question is: How to prevent someone from making a bogus app and asking my server to send data to this app?

This wastes both my bandwidth and makes use of my content while allowing people to create competitive apps using my data.

As you know, trying to prevent reverse engineering is like trying to stop piracy: impossible. Android reverse engineering especially it's like stealing candy from a baby.

Patrick
  • 33,984
  • 10
  • 106
  • 126
Luka
  • 1,761
  • 2
  • 19
  • 30

4 Answers4

5

Use API Tokens. Possible solutions:

But mind you, either way you need to somehow hardcode a key/salt/hash/password in your app which can be reversed engineered one way or the other. There is no real (practical) possibility in Android to avoid rogue clients from accessing your backend (especially in rooted devices).

I would recommend HTTP Basic Auth since it's the best tradeoff in effort, usability and security (It's also used by the majority of public apis) It's very easy to implement since you only need to send a hardcoded http header, it's supported by practically every http server and it does not change your API and pollute it with query parameter and it's also reasonably secure if used over https.

Etienne Martin
  • 10,018
  • 3
  • 35
  • 47
Patrick
  • 33,984
  • 10
  • 106
  • 126
2

Make the server require an API key and obfuscate the key in your code, see this answer: Best Practice for storing private API keys in Android

Community
  • 1
  • 1
Steve M
  • 9,296
  • 11
  • 49
  • 98
2

If you use http server, you can use http auth basic

Basic access auth

1

You could use something like reCAPTCHA to verify that the client is not a bot.

jacknad
  • 13,483
  • 40
  • 124
  • 194