0

I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks. At the moment, I make a REST request from the client (android) side such as: 

http://www.example.com/add_book.php?user_name=eddy&nonce=534365756756&book_title=My%20First%20Book

Here, I am using a nonce that will be stored against the user's id and checked for duplicate requests. However, in this unencrypted system someone can simply insert their own (random) nonce. What I want do is convert the above request to something along the lines of:

http://www.example.com/add_book.php?fsjdfhdhsjfhdsjf538537854rj34i5348ur4rf4r3g4yrg4y32210dfsdjfsdhfjshru99jifjknjsdfnfjsfhuruwe

that can be unencrypted server side to the equivalent unencrypted URL so the parameters can be accessed with $_GET['book_title'] (like in the usual manner).

In the ideal world, the request itself could be encrypted with the user's hashed password as an easy way to certify the user is who they say they are.

I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.

Does anyone know how I can do this? My requests are plain text atm so are incredibly vulnerable. Thanks.

Gmeister4
  • 754
  • 10
  • 19
  • why dont you post ur params instead? – KOTIOS Aug 06 '14 at 11:47
  • You don't have to pay for an SSL cert. You can generate one yourself and accept/verify on the Android client. You'll have to generate one anyway to sign your app. http://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android – RoraΖ Aug 06 '14 at 12:26
  • Thanks for the reply, any ideas how to secure post params? – Gmeister4 Aug 11 '14 at 10:19

1 Answers1

0

Android encrypting URL parameters and values and decrypting server side

Don't encrypt URL parameters!

I want to set up some basic web server protection to protect against replay attacks and data manipulation hacks.

If you're trying to stop someone on the network from intercepting plaintext HTTP requests and manipulating them maliciously, HTTPS is the only solution you have.

If you're trying to stop a local user from doing the same, rethink the security model of your application.

I'm not really prepared to pay for an HTTPS certificate at this stage so that's not really an option.

You don't have to pay anything for HTTPS. It's free!

If you're using a hosting provider that makes it difficult to get HTTPS for free, set up a cheap VPS (LowEndBox, DigitalOcean droplets, etc.) and stop giving them your business. They'll adapt or die.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206