I've written an app which connects over PHP to MySQL. The MySQL Passwords are stored in the php file. But i have to save the Url in a String like
http://www.abc.com/create_user.php
and if someone decompiles the app, he can see the Url and manually create accounts. (I use Post Method in PHP)
It' s very difficult to prevent people from seeing what URL backend you are using. I would argue that is impossible. If they can't decompile the APP, they still could use a PROXY to inspect traffic from the Android APP to your server.
I would put some stuff to make it more difficult though.
Off the top of my head, you could:
Use a CLIENT_SECRET: a compiled string in the Android APP that your server needs to validate in order to make the account creation.
Use HTTPs (it will make more difficult to use a PROXY to inspect HTTP traffic)
Al alternate way of doing (1) is using CLIENT_SECRET to locally encrypt the payload you are using to create the user
Check for a specific USER_AGENT on the HTTP REQUEST
Related
I am developing a native android application that will post data to a php page. The php page will then update, delete, insert records into a mysql database. Using the app should be the only time the php page is called from. I have been reading, and it seems that using tokens to validate each request is the way to go. I just really don't understand how to do this from a native android application. Authentication is something I don't have experience in. I want to ensure that using the application is the only way that the php backend can modify the database to prevent outside attacks. Can anyone point me in the right track? Any help would be greatly appreciated.
Simplest way to achieve that is to have some random string stored in the Android application. You have to make sure that this string cannot be easily extracted from the app after decompilation. This can be achieved by using proguard + not storing the entire string in one place in the app (for example you can create a set of methods that can be used to generate that random string). You need to make requests to the server using HTTPS. You can then make the app send this string in every request. Server should successfully respond to the requests that contain this string (for example sent in POST parameter) and return an error for all other requests (you need to implement a check on the server to achieve that).
I have an asp web page which needs to grab an xls file from the device storage area on my android tablet, convert it into bytes and store it in my SQL database.
I can do the converting and storing bit but I have no idea as to how to get the file using VB.
Can anyone tell me how I can get the file without the user having to search for it using an upload control?
I would also like to delete the file after processing..
Thank you..
Derek.
In order to think about this we need to have clear in our minds where the division between client and server exists: You've got a webserver running ASP and a client running a webbrowser on the android platform.
The file you are trying to upload exists on the client. As such any code which does the uploading will have to run on the client and, as the client is running on android, it's unlikely it'll be VB doing the uploading. You're likely to need to use a scripting language like Javascript and, if you care about cross-browser support, be careful how you do it.
The server cannot get the file directly from the client due to common security restrictions.
Once the client side script has got the file, it'd usually send the data to the server using a webservice or other endpoint, deletion of the file can then happen after that.
I have some questions about developing a Android application which shall be able to communicate with a NodeJS server.
The Android application gathers some data and saves everything in a .csv file.
This file now needs to be uploaded to a NodeJS server. The NodeJS server should save the file as well as storing the content in a MongoDB.
My question now is how I should implement the communication between the Android device and the server.
I know how to upload a single file to a NodeJS server using a HttpURLConnection with a DataOutputStream.
But I need more than just uploading the file because I need a unique identification of each Android device.
I thought about using the (encrypted) Google account E-Mail address of the user to distinguish the devices. I am not interested in knowing who uploads which data but I need to store the data for each device separately.
The problem is that I don't know how to communicate between the device and the server.
If I upload a file via HttpURLConnection and DataOutptStream it seems that I can only upload the file without any additional information like the unique key for the device.
I also thought about uploading the file via sockets. But I am not sure how to handle huge file sizes (5 MB or more).
I am not looking for code fragments. I rather need some hints to the right direction. Hopefully my problem was stated clearly and someone can help me with this.
Using a HttpUrlConnection on the Android side, and a RESTful server on the Node side would be a straightforward option.
You can embed information into the URL in a RESTful way:
pathParam: www.address.com/api/save/{clientId}/data
queryParam: www.address.com/api/save/data?c={clientID}
each uniquely identifying the client. This can be whatever scheme you choose. You will have to build the HttpUrlConnection each time as the URI is unique, and important!
The server side can then route the URL however you see fit. Node has a number of packages to aid in that (Express, Restify, etc.). Basically you'll grab the body of the request to store into your DB, but the other parameters are available too so it's all a unique and separated transaction.
Edit: The package you use for RESTful handling can stream large files for you as well. Processing of the request can really begin once the data is fully uploaded to the server.
Using a socket would be nearly just as easy. The most difficult part will be 'making your own protocol' which in reality could be very simple.
Upload 1 file at at time by sending data to the socket like this:
54::{filename:'myfilename.txt',length:13023,hash:'ss23vd'}xxxxxxxxxxx...
54= length of the JSON txt
:: = the delimiter between the length and the JSON
{JSON} = additional data you need
xxx... = 13023 bytes of data
Then once all the data is sent you can disconnect... OR if you need to send another file, you know where the next set of data should be.
And since node.js is javascript you already have wonderful JSON support to parse the JSON for you.
Would I suggest using a socket? Probably not. Because if you ever have to upload additional files at the same time, HTTP and node.js HTTP modules might do a better job. But if you can guarantee nothing will ever change, then sure, why not... But that's a bad attitude to have towards development.
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
I am not too sure about how secure a apk file is and therefore this question.
We have a application which gets the result from a publicly exposed webservice. However, when we tried to open the classes.dex file (opening .apk with winrar), the webservice name and the soap action were visible in it. This can be a potential issue if someone can get a hold of the apk file and could easily access the exposed webservice url.
It looks like:
handleMessage handler hasError hello ht _http:MY WEBSERIVCE NAME
uhttp:MY SOAP Action Name
What would be correct approach to get details from a publicly exposed URL? If we write a wrapper around the web service to get the only specific details we want than also this would be visible in classes.dex.
Is there a way to protect the .apk file from opening from a computer or PC.
Or is there a way to encrypt the webservice name in the program.
Thanks.
There really isn't. If you are depending on the fact that your webservice URL is hidden as you security measure, then you are doing security wrong.
This URL will be discovered, even if the code is encrypted / obfuscated, users can use a debugger to connect to a running application, or simply use a proxy / Wireshark to inspect the web traffic. This is not a way to secure your application.
You should have per-user login names and passwords or use client certificates to authenticate the individual users. You should consider your application easy to copy and duplicate, so building the authentication into the application directly will never keep your confidential information private.