0

So I've been literally 2 months searching for this but nothing... Basically I've got an Android app witch makes HTTP(S) requests to a PHP server. Let's say I've got a URL to get some information: https://example.com/username/check/whaterver/, to access this URL you need to send over a token that you get once you're logged in. I have everythig all set, the only problem is that I know that people can see the requests made from their phones, let's say: URL: https://example.com Form-data: token=5456432145. What I need is a way to send the token to the server without the user being able to see the token.

I am not asking how to make a HTTP request between Android and PHP, I'm asking how to ONLY accept HTTP requests from Android and PHP

Myself
  • 11
  • 3
  • 1
    Possible duplicate of [Make an HTTP request with android](https://stackoverflow.com/questions/3505930/make-an-http-request-with-android) – Pedro Rodrigues Sep 21 '19 at 01:20
  • You don't need secure request (only HTTPS is enought) from client (Android) and PHP because user have many way to get it. You must protect you data from server by code – Nguyên Ngô Duy Sep 21 '19 at 01:34
  • can't you make https request to the php server in the background of the app as an api call ? – Umer Abbas Sep 21 '19 at 02:58
  • I think the usual practice for security token is to: 1. send them throught POST parameter or header; and 2. simply have them expire in a relatively short period of time; and 3. only send them throught HTTPS. – Koala Yeung Sep 21 '19 at 03:22
  • If you really want to obscure the token text from even the client system, you may take a look at asymmetric encryption of any sort. You may [encrypt](https://www.php.net/manual/en/function.openssl-private-decrypt.php) the request, with token, on Android then [decrypt](https://www.php.net/manual/en/function.openssl-private-decrypt.php) on server. But if the user has access to the memory of the device, he / she may still get the token and encryption key. – Koala Yeung Sep 21 '19 at 03:28
  • Thanks @KoalaYeung I'll go with the expiration time! – Myself Sep 21 '19 at 10:26

1 Answers1

-1

You can use/create a cryptography to send to PHP server and from server to browser of device. A cryptography mode will encode your token code. Like: token=5456432145 to token=D37AG3H7183BAD2E6DGAS

Giuliano Pacheco
  • 1
  • 1