6

I'm developing one android application and I'm creating a php based webservice to retrieve the information from the database.

The thing is that I really don't know how to secure this service.

For example, if my android application needs to retrieve some information from the server it will call http://mywebservice.com/service.php, and it will send several POST parameters as the user and password to login, or something like, for example, one user id to retrieve his data.

Of course, anybody with the knowledge enough will be able to retrieve that data too. And this is what I don't want to happen.

Anybody who know the parameters to send to my server will be able to retrieve information from it.

How can I secure this?

I've been reading about OAuth, OAuth2, two legged and three legged implementations of it, https..

But at the moment, I really don't know how to secure this.

I want that the webservice only answer to my application and not to anybody else.

PS: Even there is something like http://myservice.com/get_information.php that you send an id and you can retrieve a lot of information. Of course, I control that in my application, only logged and authorized people can do that calling, but it's a problem anyway. What's the best way to do this kind of things?

JFValdes
  • 426
  • 8
  • 19
  • 1
    I think a good begin would be to take a look at [`crypt()`](http://php.net/manual/fr/function.crypt.php) function if it has not been done yet. – Anwar Apr 29 '15 at 08:19
  • How about a per-user username and password sent with each HTTP request? These can be autogenerated if you wish, or typed in by the user, as appropriate for your situation. – halfer Apr 29 '15 at 10:58

3 Answers3

6

Some concepts to secure a webservice(might be forgetting some notions):

  • Protocols: HTTPS in the current case so data are not transfered in a clear format.

  • The Sessions: A session has a lifetime, a unique identifier(session token/id/whatever) and contains an error code. When a user will call your webservice, a session will be created and its token answered back. At every call of the webservice you'll test if the session is still alive. You can add complexity to the expected inputs, outputs and exchanges. The error_code will be used for logging(errors can come from an attack or a bug of your webservice).

  • Data Encryption: Use asymetric functions like password_hash() or crypt() for authentication issues. Use symetric algorithms like AES 128(10 rounds) or 256 (14 rounds) for sensitive data you'll need to retrieve.

  • Testing inputs: If you find yourself inserting given arguments in a query, try to prevent SQL injection. Some bad-minded people can also try to send arguments which would make your webservice fail.

  • Go for standards: As Çagatay said, try to implement for example oAuth2 because standard is most of the time much better than what we'll build :S

Hope it helps.

edit: The REST security sheet is good also.

Community
  • 1
  • 1
Answers_Seeker
  • 468
  • 4
  • 11
4

  1. Always use SSL to prevent some man-in-the-middle attack. Otherwise someone that sniffs the connection (in case of connecting via public wi-fi or company networks it's a huge risk) can see the username and password.

  2. Do not send username and password on each request, instead implement oAuth2, your client in this case will have to send the username and password only once and then for the other requests you'll have to send only the auth key. Good documentation for implementing a oauth server: http://www.sitepoint.com/creating-a-php-oauth-server/

  3. Look at this document: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

Cagatay Gurturk
  • 7,186
  • 3
  • 34
  • 44
3

I ended using OAuth. More especifically this library https://bshaffer.github.io/oauth2-server-php-docs/ If you follow the instructions it's really easy to use and it works very well. I think it's a really good way to start working with OAuth.

JFValdes
  • 426
  • 8
  • 19