2

I have a multi-platform project.

It has a web side and an android side in it. What do you guys suggest for verifying that the client that I am talking to from the web service is my android client? Does anybody have any idea of how should I authenticate these two?

I was thinking about saving a token field in a user table, with its content being some unique hash based on data from the client, that can be recognized by the server. However, I don't know what information I could use as the basis for the hash.

What client information should I use to create the hashed value to use as the authentication token?

If this information is necessary, my web service is presented to clients as a restful API and is written in PHP on the server side.

Thanks.

code_dredd
  • 5,915
  • 1
  • 25
  • 53
Shaheen Zahedi
  • 1,216
  • 3
  • 15
  • 40

1 Answers1

1

You could have the client and server communicate with each other using SSL and configure the server to require a client certificate. See for example https://docs.oracle.com/cd/E19424-01/820-4811/aakhe/index.html for more information on that.

This does not, however, protect you from a malicious hacker, who could extract the certificate from your client and add it to it's own application.

Guenther
  • 2,035
  • 2
  • 15
  • 20
  • 1
    thanks for you're brief answer, how can I guarantee the client that I am talking to,is my client, and not a malicious hacker, that injects the data in between? – Shaheen Zahedi Aug 20 '16 at 19:57
  • SSL/TLS takes care of the "usual" hackers in between. It cannot protect you from large scale hackers like governments. They have the ability to do a https://en.wikipedia.org/wiki/Man-in-the-middle_attack . The problem I was talking about is a hacker extracting/stealing your client certificate and add it to his hacked application. See http://stackoverflow.com/questions/9763092/how-safe-are-client-ssl-certificates-in-a-mobile-app – Guenther Aug 21 '16 at 14:20