1

The application I'm creating is supposed to allow client to send some feedback to server, so I make a simple httprequest with my feedback and other information in it, but I wanna make sure that request can only come my application, the rest should be rejected. So what are my choices?

Thank you for your helpful directions in advance.

P.s: I'm not asking for code, just the best practice.

arash moeen
  • 4,533
  • 9
  • 40
  • 85
  • Use HTTPS for all of your requests, only accept HTTPS on the server and check for a specific user agent perhaps? – darnmason Jan 23 '15 at 01:05
  • Does anyone knows a good way? (maybe it's even a duplicated question) Darnmason idea is good to prevent MITM, but checking for user agent don't helps as other application can use it too, also secret keys can be extracted from the code. There are Android APIs for that? – Gustavo Rodrigues Mar 28 '15 at 09:46
  • @GustavoRodrigues I couldn't find any solution than what darnmason gave. – arash moeen Mar 28 '15 at 21:12
  • I said that because [it was a problem to Twitter](http://arstechnica.com/security/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong/). [An answer](http://stackoverflow.com/a/7132392) to a similar question doesn't show a good solution, just countermeasures. Maybe an Android API, like what Google does with "Key for Android applications" on "Developers Console" (I don't know the details, but seems to work). – Gustavo Rodrigues Mar 28 '15 at 21:47
  • @GustavoRodrigues I'll try to dig more about this in next few days and ask some of my senior colleagues to see if there's any better solution ? – arash moeen Mar 31 '15 at 13:00

1 Answers1

0

I have looked for the same thing and what is possible is to force the app users to sign in with their Google account and then you can get verification via tokens that the call came from your app as described here:https://developers.google.com/identity/sign-in/android/backend-auth

That there isn't an option without having users sign in is disappointing.

Mirsaes
  • 43
  • 2