-3

I am currently working on an simple app which parses data with JSON from a remote server. Server side, there is a php script which connects to the database and selects the necessary data.

My question is how to save the php script. My approach was to create only one username and one password for authenticating from every app. The app user wouldn't know about the login procedure and the php script would be securely accessed.

There are some problems with this approach, because I can't store data (encrypted) in a database because the user can delete it. SharedPreferences is also no option because I have to hardcode the credentials. And that is right now the point who I am: how about storing credentials hardcoded? Out of my gut feeling, i would say it is a bad idea. But how to handle this problem?

Willis
  • 5,308
  • 3
  • 32
  • 61
Doğan Uçar
  • 166
  • 3
  • 15

1 Answers1

0

This is a very bad idea. Why do you want to store the credentials for your MySQL database on every device your app is installed to? I'm confused about what your goal is with this authentication because to me it seems like you only want a way to login to MySQL through PHP so I'm missing the reasoning for storing the MySQL password on the client devices. To me, it sounds like the password should stay server-side in the PHP.

If you want to store passwords for other reasons on an Android device, look into using the Android Account Manager.

Reid Harrison
  • 406
  • 3
  • 9
  • no, i don't want to store the MySQL password on the device. I just want to prevent the unauthorized execution of the script. I have created a table with a random username and password and use them for authenticating in the php script. – Doğan Uçar Jan 12 '15 at 20:29
  • Ok I understand what you want to do now. As a heads up, this will still be unsafe (regardless of on-device storage) because it is vulnerable to packet sniffing the password out of your HTTP requests. At a minimum, you should make sure to use HTTPS but it is also a bad idea to pass the password over requests like that which is a reason to use OAUTH tokens. If you want to go ahead with your plan to keep things simple, then I would still suggest you look into the Android Account Manager to securely store credentials. – Reid Harrison Jan 12 '15 at 21:31
  • Documentation: http://developer.android.com/reference/android/accounts/AccountManager.html#getPassword%28android.accounts.Account%29 Tutorial: http://udinic.wordpress.com/2013/04/24/write-your-own-android-authenticator/ – Reid Harrison Jan 12 '15 at 21:32
  • I use HTTPS for connecting to the server and i want to keep the things simple. Can you tell me more about the problem why it is unsafe to make it my way even with encrypted connection (HTTPS)? Thank you for your hint with OAuth, i need to familiarize with it.. – Doğan Uçar Jan 12 '15 at 22:19
  • HTTPS is still vulnerable to a [Man-in-the-middle Attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack) and other potential vulnerabilities. It's a lot more secure with HTTPS but it's just generally bad practice to ever pass around passwords like that. The benefit of OAuth is that the tokens expire so if one is ever compromised, it can't be used permanently like a password could be. – Reid Harrison Jan 12 '15 at 22:30
  • Thank you for your explanation. But i think, it is quit to complicated to implement OAuth yet. My primary goal is to prevent unauthorized executing the script. Later, when i have more users than expected, i have to think about a full registration and other authentication methods. Nevertheless, thank you four your informative posts :) – Doğan Uçar Jan 13 '15 at 10:01