1

I'm building an Android application which has to sent some information to my mysql database. The mechanism I'm trying to implement is based on JSON, php, Mysql combination. Unfortunately I'm not a veteran when it comes for those subjects. As I understand correctly the php-Mysql connection is always secure - nobody except me can see the source of php script in which I have written username and password to my database. Now the tricky part, my php script is located on Apache server and it isn't protected at all, therefore anybody can trigger it (even from the desktop browser). How can I prevent this situation? and how can I safetly trigger my php script from my Android device? Thanks

Eric
  • 1,685
  • 1
  • 17
  • 32

4 Answers4

5
  1. Use SSL. This will encrypt the connection between the device and the server.
  2. Use a client id/key for your device that is verified on the server.
  3. In case you REALLY worry that someone will modify your app to send fake calls using such: verify the client certificate as well (piggy back). (The same way it is done with Facebook Android library and Google mobile libraries).
Edison
  • 5,961
  • 4
  • 23
  • 39
  • Ok, maybe I put it wrong. How can I safety trigger my php script from ANY Android device which is running my app? – Eric Jan 24 '12 at 10:42
4
  1. Use ssl, this will encrypt the connection
  2. Set an authenticate mechanism, on your php page and you android application will send the credentials
  3. Set a random pin code that the server side sends to the application, and he is valid only to the current session, and the application need to run a function that will generate the right answer to this current number and sends it to the server as verification, for example if the server sends me the pin number:120, and the verification function of mine is to +1 the pin number I will send the server 121, but I suggest to use a little bit more complicated algorithm.
Dolev
  • 86
  • 3
1

The Android device is no different than any other HTTP client, like your browser. You need to follow the same mechanisms you will be using in order to protect a standard Web Page:

  • Require login to the page. The user needs to supply a valid username and password to gain access. The server returns a session, which is usually stored in a cookie. This question will help you on how to do that on Android.
  • To keep someone from intercepting the username and password, the log-in should be done over HTTPS
Community
  • 1
  • 1
kgiannakakis
  • 103,016
  • 27
  • 158
  • 194
  • And how to encrypt the usr/pass within my application? If I hardcode them as a Strings then they'll be visible in the compiled apk file, so anyone will be able to read them – Eric Jan 24 '12 at 09:39
  • You need to follow a registration scheme. Users will need to register to gain access to a username and a password that will authenticate them. Then you need somehow to do the authorization. – kgiannakakis Jan 24 '12 at 10:15
0

the most intuitive way is to authenticate the user (Username + Password) using an Https Connection, there is better types of secure authentication like OAuth, see this: http://code.google.com/p/oauth-signpost/

Abed Hawa
  • 1,372
  • 7
  • 18