PhoneGap Allow (Ajax Request) Server side PHP files access just for this app (Security Purposes)

Question

I have created an android app using PhoneGap (PhoneGap is a tool which supports you to create apps using the languages like HTML, CSS, and JavaScript.).

Please note that android app is an open source app. So android app code is publicly available to server. So I can't pass password, verification variable to server.

This is my code:

<script type="text/javascript">
    $(document).ready(function() {
        $("#insert").click(function() {
            var title = $("#title").val();
            var duration = $("#duration").val();
            var price = $("#price").val();
            var dataString = "title=" + title + "&duration=" + duration + "&price=" + price + "&insert=";
            if ($.trim(title).length > 0 & $.trim(duration).length > 0 & $.trim(price).length > 0) {
                $.ajax({
                    type: "POST",
                    url: "http://www.example.com/test/insert.php",
                    data: dataString,
                    crossDomain: true,
                    cache: false,
                    beforeSend: function() {
                        $("#insert").val('Connecting...');
                    },
                    success: function(data) {
                        if (data == "success") {
                            alert("inserted");
                            $("#insert").val('submit');
                        } else if (data == "error") {
                            alert("error");
                        }
                    }
                });
            }
            return false;
        });
    });
    </script>

This function should update the table which is on the server using http://www.example.com/test/insert.php. It works fine without any problems when the app is installed on a android phone.

But other users could easily update my table using above function. I mean if they know the URL (http://www.example.com/test/insert.php) they can also update my table passing necessary post requests.

How do I prevent this from happening? How could I allow accessing the page http://www.example.com/test/insert.php limited to just my app. I mean if request are coming from my app to http://www.example.com/test/insert.php it should work.

Where is the code for the http://www.example.com/test/insert.php page? — Joseph_J, Jun 04 '18 at 07:34
I'm sorry, I should have just asked you to post the code for that page in your question so we can see it. — Joseph_J, Jun 04 '18 at 08:47
@Joseph_J Oh sorry. I have misunderstood your question. It has just db connection and queries using `mysqli_query()` function — I am the Most Stupid Person, Jun 04 '18 at 09:10
since that page is where your ajax is sending the post request, that page is going to be the page that checks to see if a session exist and does validations for the data. Stack overflow members are going to want to see that in order to help you. Remove any passwords or other secret stuff and post the file in your question. — Joseph_J, Jun 04 '18 at 09:20
@Joseph_J No. I think you misunderstood the concept. This is a android app created by using Phone. So there is no session since I can't pass session from mobile device to server. I can pass a something like password with ajax request. It also won't work because code of android phone is open.... The code which is on server only hidden.... — I am the Most Stupid Person, Jun 04 '18 at 09:30
Similar to normal *web apps* like GMail, you can add authentication (i.e. login system) to your app, so that once users are logged-in to your app, they're free to insert/update/delete data and do other (private) stuff. You could also store API keys in the user's device, which they can use to (authorize themselves and then) perform actions on your site through your mobile app. — Sally CJ, Jun 04 '18 at 11:15

score 0 · Answer 1 · answered Jun 04 '18 at 12:54

0

When you click on insert button, try to send a value in hidden input variable. at your server side programming, check with that variable like

if($_POST['insert'] && $_POST['<hidden varaible name>'])
{
 //your code goes here ...
}

answered Jun 04 '18 at 12:54

sree

389
5
17

Thanks, But this won't work because I have to send them via above JS code. It is publicly available. – I am the Most Stupid Person Jun 05 '18 at 05:16

USER249 · Answer 2 · 2018-06-07T00:22:28.917

You have only two options I can think of:

1- With app key like in romal tandel's answer notice that you DON'T have to publish your key because it is NOT part of the code and you can simply replace your key with a dummy key = "XXXXX" in the published copy of the code and open source is not an excuse to roll out this solution.

-2 You should first determine your users domain and ask you self who should access the server and not who shouldn't. Only after answering this you should then find a way to restrict access only to your targeted domain of users like with a range of IP addresses related to an organization or a country or to pre-registered unique devices MAC addresses or unique IDs or most probably it will lead you to use solution number one after all.

score 0 · Answer 3 · answered Jun 07 '18 at 21:10

Just like everyone else has said you should build authentication into your app using tokens or keys.

From what I understand of your question, Your ultimate goal is to only allow people who are using your app(people on android phones) to access the insert.php if any other device tries to access, it shouldn't update the table.

One solution that comes to mind is to get the user agent(browser) and other HTTP headers variable behind the HTTP request to your URL.

$user_agent= $_SERVER['HTTP_USER_AGENT'];

Then based on those variables update or don't update the table. The user agent can be spoofed if someone really wants to mess with your app. There are libraries like this one to help you further determine what kind of device sent the request.

score -1 · Answer 4 · answered Sep 28 '17 at 10:25

-1

You cant

refer the below answer, It would help for you.link

How ever you need to make securing API keys to achieve this. link

answered Sep 28 '17 at 10:25

nisar

1,055
2
11
26

score -1 · Answer 5 · answered Jun 04 '18 at 12:59

-1

i think you need something like this

Android side:

SECRET_KEY = "abc123"

def call_api_with_secret(url, params)
  # create the hash to sign the request
  hash = MD5.hash(SECRET_KEY, url, params)

  # call the api with the added hash
  call_api(url+"&hash=#{hash}", params)
end

Server side:

    SECRET_KEY = "abc123"

    def receive_from_api(url, params)
      # retrieve the hash
      url_without_hash, received_hash = retrieve_and_remove_hash(url)

      # check the hash
      expected_hash = MD5.hash(SECRET_KEY, url_without_hash, params)

      if (expected_hash != received_hash)
        raise our exception!
      end

      # now do the usual stuff

end

answered Jun 04 '18 at 12:59

romal tandel

481
12
19

Thanks, But this won't work because I have to send them via Android side. android app is open source. It is publicly available. – I am the Most Stupid Person Jun 05 '18 at 05:17
This should work. Open source doesn't mean you must publish your secret key.You simply replace it with a dummy key. – USER249 Jun 07 '18 at 00:14

PhoneGap Allow (Ajax Request) Server side PHP files access just for this app (Security Purposes)

5 Answers5