I am in the process of developing an app with the help of someone else for a site I am developing. This app being developed will require access to the database on the web server. So my question here is typically I would want to keep my servers access limited to specific IP's however. Mobile devices all have there own ip's from what I hear. So if this is the case I essentially have to open up my database access to allow any inbound remote connection. Which is more than possible, but I forsee a potential security risk with that. namely in the notion of someone attempting to brute force the DB to gain root access or something to the effect there of. With that my question comes down to is there a more secure way of doing what I need in the overall? Is there any methods I can apply that would allow me a little more peace of mind. The DB I am currently using is mySQL, and will generally remain that type til later in the future.
2 Answers
Why not access the database via an API and then secure the API? So in essence, you should have a REST(or anything) API on your web server which your mobile application talks to which subsequently talks to the database. Accessing and securing your API will make a more cleaner and leaner design.
- 108
- 4
-
Reason is I am unfamiliar with Android or Mobile to Server applications, and I am mostly going on the word of who is consulting the development of the android app, but the whole concept doesn't sit well with me opening up the DB like that to unknowns, that said hearing this stuff here shows me that Mobile To Web Server is more than plausable without opening up the DB like initially requested, that said its off to insist the consultant do it my way or he can go somewhere else. I have no problems building an API for the guy to use if you know what I mean. Thanks for the answers – chris Jan 22 '12 at 10:02
Your concerns about security risks are valid. You should avoid a situation where countless mobile apps are making database connections to your MySQL database. A better solution would be to host a REST API layer in front of the database. This would allow you to control what portions of your database are accessed, but potentially include authentication routines as well. The REST web services you publish will give you the opportunity to produce permitted representations of your data rather than raw access to the data. That means in addition to producing web services, you'll need to develop the app to be a REST client that consumes these services or makes "requests" to them on an as needed basis. Obviously, this requires planning on both sides of development (back-end and front-end).
One possible solution to consider for producing REST web services is here:
http://phprestsql.sourceforge.net/
There are additional frameworks available for PHP, Java, ASP.NET and other platforms.
Good luck!
- 926
- 1
- 12
- 18
-
Awesome, thank you. I knew it didn't seem right to any extent, I can understand opening my DB maybe to a specific IP with little protection though I'd likely tunnel it somehow. Don't suppose you know a good tutorial nots not super technical that I can browse based on Android Dev and Web Side communications. Or any good non tech like Tutorials for that matter so I can familiarize at the least enough before I let my partner agree any further to the consultant we have on this Mobile App development. – chris Jan 22 '12 at 10:05
-
There are several sources on the web that will help you get a good idea of how to approach web services both as the server and as the client. You'll want to not only understand the basics of REST and how to expose data resources, but also how to properly consume them and transform them into usable entities in Android. I'd recommend [this StackOverflow question's](http://stackoverflow.com/questions/6827881/how-to-use-webservices-in-android) chosen answer for a collection of links on using web services with Android. – mchandler Jan 22 '12 at 18:03