-1

I'm building an Android app and using AsyncTask for web services, but i want to verify that URL is posting from my Android Application and not from any other Application.

CristiC
  • 22,068
  • 12
  • 57
  • 89
Radwa Ali
  • 53
  • 3
  • 8
  • They way I achieved that is by sending an additional post parameter with a secret key, but I'm not sure if that's possible with oauth – Filnor Oct 23 '17 at 09:27
  • but hackers can see this secret key i need to send a value without being found – Radwa Ali Oct 23 '17 at 09:28
  • 1
    Use ssl and send it via post, so no one can see it. – mega6382 Oct 23 '17 at 09:29
  • This might help you.[Use this logic tVerify the requester's IP is equal to your android IP.](https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php) – Sumit Shitole Oct 23 '17 at 09:29
  • are you sure??? – Radwa Ali Oct 23 '17 at 09:30
  • `but hackers can see this secret key i need to send a value without being found` Send it ecrypted then. – JonZarate Oct 23 '17 at 09:43
  • @JonZarate The encryption is done on the device and everything done on the device could be reverse engineered – Philipp Oct 23 '17 at 09:48
  • @Philipp Use KeyStore values then. – JonZarate Oct 23 '17 at 10:02
  • @JonZarate Not sure, how this should help you to create an shared secret for the client/server, which only one authorized android app could create – Philipp Oct 23 '17 at 10:07
  • @Philipp Well, that's what KeyStores are for. To `store`, `keys`. Just make the server send a challenge and if the answer is correctly encrypted, it's authorized. – JonZarate Oct 23 '17 at 10:17
  • @JonZarate I know what KeyStores are for. The problem is still, how to create the private key. If you create it on the device, every other app could do this as well. If you create the key once and store it inside the apk, an attacker could decompile it and build his own app. – Philipp Oct 23 '17 at 10:25
  • @Philipp You need a password to open a KeyStore. It's not code. – JonZarate Oct 23 '17 at 10:36

1 Answers1

0

To be honest - there is no way to prevent an attacker from building his own app on any other platform. Even a large company like Niantic with Pokemon Go have problems to prevent illegal clients.

What they do to prevent this is:

  • Sign all request with an signature algo, which change on every update.
  • Monitor the usage behavior and detect patterns, which fall out of typical usage
Philipp
  • 15,377
  • 4
  • 35
  • 52