0

I want to ask if anyone knows a way to access only from my self-written android application my server. The android application is accessing the data over http request (POST), still there could be another person which will find the link of xxxxx.php and accessing the data from another place (not my own android application).

What I already did is, that the data is only accessible when all the parameters which are needed are given and a special generated key (Which will change under special conditions). Still this key does not change every second or minute, so when the attacker has now a key, he could still access my data for some time.

So is there a way to limit the access of my server by my application?

Chris
  • 97
  • 1
  • 7
  • Does the user with the app "log in"? If so, then you can restrict access to their session. If not, then unauthenticated users can already access it. – samlev Nov 30 '15 at 14:14
  • How to handle authentication in a RESTful Client-Server architecture: http://stackoverflow.com/questions/319530/restful-authentication/7158864#7158864 – Robin Vinzenz Nov 30 '15 at 14:14
  • How are attackers getting access to the key? – Steve Nov 30 '15 at 14:14
  • @Steve I'm assuming just sniffing the web traffic off the device would reveal it pretty quick, unless there's an SSL connection. If not, then they would likely have to be able to decompile the app to get access to the key (unless the key is written to the filesystem somewhere) – samlev Nov 30 '15 at 14:16
  • @samlev Yeah, thats what im trying to establish - simply using SSL, and giving each user account a unique key (so abused ones can simply be deactivated) would probably be the way to go. I have a feeling of deja vu here, Chris have you already asked this question before – Steve Nov 30 '15 at 14:21
  • Ok but still with a login, the user has then an unique user-id, which needs to be send with the request, and by sniffing the traffic the attacker has the id. Ok then I need to use SSL. I will also check the link from Robin later. And no as I remember, its the first time I asked this^^ – Chris Nov 30 '15 at 16:49

1 Answers1

0

This cannot be done. It is an impossibility. You cannot control the client.

The best you can do is embed some secret information in your app, and try to hide it from others. A smart hacker will root their phone, and attach a debugger to your app, and find that secret.

Some anti-debugging tricks here: What is your favourite anti-debugging trick?

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152