0

I am developing an android app which connect with a web service to insert data in mysql, so if someone decompile my code and discover my file name could do many request...I have thought to implement a function with PHP which can detect that my android app is requesting it and not any other application. How can I do this? I have tried to use $_SERVER['HTTP_X_REQUESTED_WITH'] but it return a empty value.

I know that this is not the best solution, but I can't implement in my application a login to use oAuth for example, because it is a jokes app and a login is absurd. If you think that it could exist a best solution tell me about it.

Ahmad
  • 69,608
  • 17
  • 111
  • 137
  • Does the android app connect to `a.php` over SSL? – HamZa Apr 19 '14 at 19:21
  • I don't have SSL on that URL, is there any other possibility? –  Apr 19 '14 at 19:30
  • 2
    You can never be 100% sure but there are some suggestions http://stackoverflow.com/questions/8650705/check-if-http-request-comes-from-my-android-app – Gustek Apr 19 '14 at 19:45
  • Thanks @Gustek, That user had the same problem as me now, but not any safe solution. –  Apr 19 '14 at 19:53
  • 3
    Because there is no solution. Request can always be forged. You can make it harder to do so but not impossible. – Gustek Apr 19 '14 at 20:11

2 Answers2

0
  1. Use SSL to encrypt the connection.
  2. Set an authenticate mechanism on your php page and your android app should send the credentials.
barbarity
  • 2,420
  • 1
  • 21
  • 29
  • would that only prove that they had authenticated themselves with you. not that the 'thing' talking to you was a particular 'device', 'app' or whatever? – Ryan Vincent Apr 19 '14 at 22:27
0

Be aware that any message/code you put in your app can be decompiled. You can make it more difficult, but the problem you are trying to solve is impossible to do from the client side(android app).

Using a special key just for your android apps, adding a special checksum with signature, checking the user-agent as you stated, or only communicating with your server over HTTPS and only if your certificate is present are ways of slowing down attackers, but the reality is if the code is on a user's machine/phone, they can figure out how it works and get around it.

Your best limits are server-side. I recommend rate-limiting to prevent an individual from sending too many requests from the same IP at once. Keep a count in your database or in a file of requests from an IP per minute or hour. Delete this information frequently. If there's too many requests from an IP, you can:

  • Automatically slow down requests from very active IPs (sleep).
  • Automatically add CAPTCHA to particularly active IP addresses then turn it off after a period of time.
  • Automatically block IP addresses shortly or permanently.
summer
  • 711
  • 1
  • 5
  • 15