0

I want my app to append query parameters to a given base URL such that when I share the URL with someone outside the app he won't be able to see the query parameters. When this person clicks on the link leading him to my website I want to deploy a script that using these query parameters. These parameters are specific to a single share. Different link shares will contain different query parameters.

For example: if I send to someone the link "mywebsite.com/?uid=xyz" then I want him to see "mywebsite.com" only. In the client-site I want to be able to fetch the uid value.

  1. Is there a way to hide the query parameter in Android when constructing the URL?

  2. If the answer is no then how can I encode the query parameters in Android and decode them in the client-side in my website, assuming my website contains a one "Contact Form" static page ?

Dam
  • 125
  • 7

1 Answers1

0

If you want to be sure that query parameters in a URL are not snooped, don't send the URL over an unencrypted channel.

Fortunately, there is an easy way to do this. Use "HTTPS".

See Are HTTPS URLs encrypted?

The caveats:

  1. It is common practice to put Java web services behind a reverse proxy. In this case, the secure endpoint for the connection is typically your front-end web server (e.g. Apache, Nginx, etc). The back-end connection to your actual web service (e.g. Tomcat, Glassfish, etc) uses HTTP and is not encrypted. If someone / something can snoop that network traffic, they can see the URL. Typically this is addressed by using a "loopback" network connection, or similar so that the packets never leave the host that runs the front-end and back-end web services.

  2. Your web browser may need to do a DNS lookup to find the web server's IP address. This interaction happens before an SSL/TLS connection is establish, and could lead to the hostname in your URL leaking. And if it doesn't leak that way, it it is likely to leak because of SNI in the TLS negotiation.

A comment implies that it is better to use POST and put the query parameters into the request body. In fact, that would makes little difference. If you don't use HTTPS, query parameters in a body can be snooped. The only advantage is that request bodies are typically not logged on the server side.

Ah. You have updated your question as follows:

For example: if I send to someone the link "mywebsite.com/?uid=xyz" then I want him to see "mywebsite.com" only. In the client-site I want to be able to fetch the uid value.

That is not possible. The only way you could do that would be to convince the user's browser to hide the characters in the URL. There is no standard mechanism to do that.

You would be better off using a different mechanism to pass the "secret"; e.g. cookies.

If the answer is no then how can I encode the query parameters in Android and decode them in the client-side in my website, assuming my website contains a one "Contact Form" static page ?

Anyway you want! Base64, ROT-13, a decent encryption scheme. However be aware that if your web form (in the user's browser) needs to decrypt the information then the page needs to include the code to do the decrypting AND the decryption key. That means that a resourceful user can figure out what is going on.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • I just don't want that the person to whom I send the link will see the parameters. But I want to be able to fetch these parameters in the client-side. If the link I want to send is "https://www.mywebsite.com/q?uid=xyz" then I want that the person will only see ""https://www.mywebsite.com" but in the client-side I should fetch the uid. – Dam Jul 05 '20 at 16:40
  • Well, that is not possible. Not in theory, not in practice. The characters of the URL will be visible to the user if they choose to look. – Stephen C Jul 05 '20 at 23:21