0

I'm working on an Android project that comunicates with a REST+JSON server. And I'd like to avoid malicious users to inject http posts in the server from outside my app.

How can I do that? I had thought in a mechanism similar to the authenticators keyrings like that (blizzard authenticator):

http://us.blizzard.com/support/article.xml?locale=en_US&tag=TOKENFAQ&rhtml=true

This way before send an request to the server the Android device generates a code and add it to the post. The server validates that code ignoring petitions with wrong codes. Don't know if that idea is valid, how to generate that codes and how to implement it for avoiding the user to sniff the network traffic, catch that code and reuse it. Can someone guide me with that? Thanks in advance

Starterrr
  • 13
  • 3
  • 1
    how about https with client certificate ? server check if client certificate is good and accept request ... ok someone can get certificate from apk but ... every thing can be cracked – Selvin Jul 29 '11 at 13:13

1 Answers1

0

I posted more or less the same question yesterday here: Android Client, Http Server, How do I know client is sending data using my app? authentication

I decided to go ahead with SSL and right now its all setup except for the client-authorization which I will be doing today.

Community
  • 1
  • 1
Daniel Guillamot
  • 843
  • 2
  • 9
  • 18