I have the application. I know all urls, parameters, http-request types, etc (this is my application).
How can I intercept all requests from the application?
For example:
I pressed a button and can see the text of requests to the server.
Task:
to hide requests from potential hackers and prevent him to perform requests on behalf of the application.
You can see your requests with a Packet Sniffer. If you are developing and testing on an emulator something like Wireshark, Fiddler, etc would work. If you are developing and testing on a specific Android device, then try using apps like Packet Sniffer which will capture the requests going through.
If you want to secure the requests from hackers then consider encrypting your requests. To start with, use SSL (HTTPS) encryption on your server, to prevent people from eavesdropping on the same network. To set this up, it will depend on what server technology you are using (e.g. Apache, Nginx, etc). However, there are many solutions but a popular one is LetsEncrypt.
Next, if you don't want people to understand the requests your app is sending to / from their device, then consider adding another layer of encryption on the request payload itself. Algorithms such as AES256 bit encryption will work and be secure enough, have a look here: Android AES 256-bit Encrypt data
Always hash any passwords you are sending / storing too, using algorithms like MD5, SHA256, etc.
No one can see that http request without source code .
If you upload your app in play store they have just apk . From that they cant do anything.Now a days google provides more security for applications.Because you are already generated singed Apk.
Related
Currently certain sensitive data parameters like User ID & password are transmitted in plain-text in my app. I am looking for a solution for encryption based data transmission (AES) between my app and backend. My backend is based on Ruby on Rails(ROR). I've tried searching on how to achieve the same between flutter and ROR based backend, but didn't find any resources.Please help with any available solution or provide links to achieve the same
Our testing team did packet capture using Burpsuite app and in that they found credentials like id and password as a plain text. How to encrypt that?
You don't need to encrypt data going to your server yourself. Use HTTPS. The S means it uses the SSL encryption protocol. Any data sent over HTTPS is already encrypted. Encrypting it again won't help, and depending on the method can actually make it less secure. And I promise the built in peer reviewed library is going to be far more secure than anything you roll on your own.
If you're not using HTTPS- start. There's a reason why its become the default, many browsers won't even visit non HTTPS sites by default. Android won't send plain HTTP data by default either.
How to secure our app data to prevent hacking in app/ API and protect some sensitive data?
- How to transfer all secure data to other device: for example I have some special setting in my app in device A, I want next time if user login in another device in device B, my app in device B have fully special setting from device A.
From IOS app perspective, you need to use Cryptographic algorithms to encrypt the data you are transferring. You can use any of Symmetric and asymmetric algorithms to encrypt the data. But in most cases RSA 256 which is a asymmetric cryptographic algorithm is used. You should also use HTTPS certificates to make sure your data is secure.
Behind every great mobile app is a great backend, but building a REST API for your app can be a bit daunting if you haven’t done so before. Fear not! I suggest you to find some tutorial about how to build your REST API using Node.js, and connect it to an iOS or Android app!, and handle authentication. Some reasons to use Node JS as backend.
It’s easy to work with JSON in JavaScript!
Node.js is lightweight and easy to get started with.
Node.js gives you fine-grained control over your request and responses.
On my server, I need to ensure that I receive connections only from android devices.
Is it possible? To store client cert for this in custom android assembling that is resistant to rooting ? Or I can hide absolutely nothing on rooted device? And can not avoid rooting by any means(for ex providing my own android assembled firmware)? Cause even if I set program root checking - the app can be rebuilt by 3d party to avoid this check. Any usefull ideas appreciated. Thx in advance.
1) OAuth2 is authentication and authorization protocol which is broadly used by largest and even smaller companies. Think of Facebook API. If a user is not authentication nor authorized to make that call, you can drop the inbound request. That's one method.
2) Second method would be to add your own user agent to your HTTP header and other custom HTTP headers. If your server checks on these headers, then you can drop the inbound requests.
You don't have to store the SSL certificate on the client as the client would initiate a secure connection with the server that has the SSL certificate.
Anyhow, using a certificate client side could be okay to encrypt data but I don't believe Android Java has support for that. Correct me if I'm wrong. If you do happen to encrypt data with that key, you could encrypt a certain String or bytes that you can parse into one of your custom HTTP headers but if someone finds out what the encrypted String would be, he/she can still fake a connection. However I do not recommend to store your SSL certificate on the client's device.
Regardless of what you might do, there's always a way to fake a HTTP/HTTPS connection like it's coming from an Android device but you can narrow down the incoming HTTPS requests using these two methods and make it much harder. An example would be Pokémon GO. There are plenty of unofficial APIs on GitHub who can fake a connection like it's coming from the official app.
I have an android application. The application reads data from my server and displays them to the user.
Now, the question is: How to prevent someone from making a bogus app and asking my server to send data to this app?
This wastes both my bandwidth and makes use of my content while allowing people to create competitive apps using my data.
As you know, trying to prevent reverse engineering is like trying to stop piracy: impossible. Android reverse engineering especially it's like stealing candy from a baby.
Use API Tokens. Possible solutions:
HTTP Basic Auth example (only if you are using https)
Query Paramter (like https://example.com/resource?token=3786428762) (also only over https)
HMAC - sophisticated and more complex to implement, requires substainsial redesign of the backend communication, but the most secure
But mind you, either way you need to somehow hardcode a key/salt/hash/password in your app which can be reversed engineered one way or the other. There is no real (practical) possibility in Android to avoid rogue clients from accessing your backend (especially in rooted devices).
I would recommend HTTP Basic Auth since it's the best tradeoff in effort, usability and security (It's also used by the majority of public apis) It's very easy to implement since you only need to send a hardcoded http header, it's supported by practically every http server and it does not change your API and pollute it with query parameter and it's also reasonably secure if used over https.
Make the server require an API key and obfuscate the key in your code, see this answer: Best Practice for storing private API keys in Android
If you use http server, you can use http auth basic
Basic access auth
You could use something like reCAPTCHA to verify that the client is not a bot.
I want to connect a Android client to WCF Webservice. There are several good guides describing how to do this but the https concept is really blurry for me. Here is what i want:
1) A selfhosted WebService communicating over https with an authenticated client.
The user database resides on a SQL Server.
The Service must be a "simple install" for any user to carry out.
The user will install the service on his/her PC and then download the client from google play configuring it using ipadress only.
Problem: it seems impossible to carry out this using WCF cause wshttp looks like having the need to install a certificate on the mashine.
A possible way forward would be generating a selfsigned cert during install but how can i then in a userfriendly manner get the cert to an android client?
2) A Android app published on Google Play which is able to communicate with the service. Data sent to the service will be both simple datatypes (string and integer data) but also large binaries 3-25Mb.
The user installing the service has no more the knowledge than his ip adress and must not be bothered with any certificate issues or other technical details. One option might be using message instead of transport security but my knowledge is very limited in this area.
Information passed between server and client is of personal caracter and may contain passwords including matching sites where passwords are used, personal info, calendar events etc. It will not contain money transfer orders, credit card numbers or account numbers.
The core functionallity of both server and client are more or less already implemented. I now need to secure communication between client and server.
Any recommendation for a good approach to develop this will be grately appreciated!
The way in which i want to deploy the server service to end users makes it hard to use WCF with ssl.
other options create other problems. i have now abandoned WCF for this specific project in favor to Good old socket programming using Bouncy Castle, SslSocket and a custom protocol. It may me overkill but gives me full control over both authentication certificate management and the data being sent.
Im using ssl with a selfsigned cert and override the cert validation method in android verifying all data in the cert manually except relolving the host name... enough for me since i use a pre shared key to encrypt and decrypt data.
Thanks for all help