The app does not use login username/password feature.. assume whatsapp, or viber.
Howe do these devices make a secure connection to the server and fetch the data, in a way, that even someone else, found out the POSTed data and used them, can not get the info ?
I am using HTTP.
It's a PHP server.
This question is kind of open-ended. Secure communication is often device-independent, based on the protocol stack in use.
From lower- to higher-level:
TCP connection: It may implement SSL.
HTTP protocol: It may implement HTTPS.
GET/PUT operations: You may implement reversible encryption on your payload, like Rijndael. This way, if someone actually gets the POST data, it may be unreadable without the proper decrypt function.
Of course you may combine encryption implementations. Just remeber that you may be adding considerable overhead to the whole process.
Related
I'm developing an android app where I would like to fetch some data (mostly text) from the internet but not necesseraly from a website! I would like to have a server that allows clients to fetch some text data. What kind of server fits my goals the best? Http or maybe simply tcp? I don't know much about http so I don't know if it matches my goals and/or if it handles well a kind of text "database".
Edit:
A use case could be: people could write comments and send them to the server. Then clients could refresh their app by fetching new comments from the server. Therefore I'M asking what kind of server could best handle services and kind offre database if needed.
I like using NodeJS in combination with ExpressJS for such purposes. This combination allows you to easily work with HTTP/HTTTPS which is allowed by practically every firewall or proxy server. As of the latter reason I recommend you to use HTTP instead of an own protocol. Furhtermore, Java offers the HTTPURLConnection client which is very easy to use. Moreover, securing traffic with TLS (SSL) is very simple. In addition, NodeJS is resource efficient, runs on Windows, Linux and even on OS X.
For getting the text you can use HTTP GET request handled by the get() method of the Express instance.
This compact tutorial helped me to get familiar with Express on NodeJS.
Without knowing what your use-case is it's difficult to make a good recommendation.
With that said you may find something like https://parse.com/ suitable.
They provide an Android sdk and the 'getting started' tutorials will have you up and running in no time at all.
I can edit JavaScript and HTML to modify data which is going to server in web, which cause many things Can someone edit javascript file offline to run malicious code?
But I want to know is it possible in the case of mobile Applications?
Simply can Cross-Site Scripting happen in mobile Applications?
I have applied SSH and I have applied session in server, is it not enough?
Yes they can which is why you need to guard against crafted input on the server.
A simple case would be a post of a form with data that should be numeric. If the validation was only client side, your server would die if someone crafted a response, which is why any validations should always be implemented on server.
The Mobile application servers can be prone to hacking and malicious request attacks as the requests can be modified and sent during the transmission. Simple but not much effective way is to encrypt the response generated by the application before the generation of the actual response/request or End to End encryption this might give security against the sniffing attacks.
For details refer : http://polyarista.tripod.com/
As long as the attacker cannot add his own piece of Javascript code, I think you are safe. Applying SSH and session in server might save you, but you might want to run some penetration tests to be sure.
the Apache guide on Http connections mention that
The overhead of connection handshaking can be significant, especially
for small HTTP messages. One can achieve a much higher data throughput
if open connections can be re-used to execute multiple requests.
What i want to do is, i want to send 20 similar post request (i.e. the same headers), but the data i send with it is pretty small. So with every request i'm sending the same header data again and again.So i'm looking for a workaround.
for eg:
establish a connection(sending and using the header info, ONCE)
send 20 post requests
close the connection.
My Question : Is it, or is it not, possible to achieve that using Android's HttpClient? If Yes, please provide/point me to a lesson/tutorial/example.
Thanks in advance.
PS: i did some research, couldn't quite find anything useful.
— Edited —
I'm sorry I misunderstood your question.
What you want is obviously possible. However, I think it's up to the server side. If you code server then you can control the format of messages between client and server. If not, then perhaps you should follow server's APIs.
Below I explained what I need and in the answer I would like to get information what technology, what kind of protocols, services etc should I use.
Also I know that there is a massive amount of information on the internet, but because there are so many choices I'm unable to make a decision. Here's what I want to have:
Android application which will sent and receive information from the internet/server
Of course server, which will do some rudimentary computation with the obtained information, then store it and at the end send it back to the client application
I have to admit that the subjects of networking, socketing, protocols, ciphering etc are the ones I've always run away from. Therefore advices such as what domains, databases etc utilize are highly welcome
Update: After a bit of a research I've implemented mechanism based on information from this site [1]. I already have a working MySql database with several tables inside. Also I've added php scripts to my Apache webspace and implemented all that's necessary within my Android app.
Now, as I understand communication between php's scripts and MySql database is safe (I've hardcoded the usr/pass within scripts). Therefore the only thing that has left to be done to secure the connection between my Android application and php scripts (I want to prevent the situation when everybody has an access to my php scripts). So my question should be pretty straightforward now, how can it be achieved?
[1] http://blog.sptechnolab.com/2011/02/10/android/android-connecting-to-mysql-using-php/
I think a simple TCP/IP connection via Sockets will do just fine for your purposes.
The lesson (with more information and some examples) from the Java-Docs can be found here.
The basic workflow is as follows:
Your Android-App opens a Socket-connection to your server on a
given port where a server-application listens.
The Android-App sends it's data (whatever that might be) to the
Server.
The Server reads the send data,
processes it,
stores it...
...then it sends back some response (maybe the computed values) to your
Android-App.
Your app can then figure out if everything went okay and use the
given data.
Answering my second question, all the php scripts has been put into directory with the password on my Apache server. To be able to trigger them I need to give this password which is hardcoded in my application. All the connection is done through HTTPS. Now everything works as planned!
I am looking for reading resources or sample applications that can help me hammer out the following application workflow:
The client application establishes a connection to our server
The client application scans for updates on a regular interval
If an administrator has posted a new message, the new message is displayed in a widget.
I currently have 2 concerns:
I want to ensure that the monitoring service is not a major battery drain.
What is the most secure and simple method to establish the connection to retrieve data?
....There are a lot of suggestions out there... I need to know what method I should be researching over all others. Currently, all options are on the table because I have yet configure our server.
There are a lot of questions here, I'll try to give a succinct answer.
For the infrastructure I would go with HTTP REST calls to retrieve JSON data reprsenting your messages. Here is a decent link about writing an HTTP REST client for android, there are many others online.
For security, I would definitely start with SSL, but if you need to authenticate the requests I would also look at OAuth to secure you remote API.
As far as A, Have you considered using C2DM (aka "push") to trigger the updates? Then there's no client bandwidth beyond what is being used anyways for the Market/GMail/Talk connection. If you need to support Android versions below 2.2 it's not really an option at the moment, though.
Otherwise there's a few good examples of being a good citizen when polling from a widget; Jeff Sharkey's android-sky is probably the oldest, best, and most authoritative.
For B, unless I'm misunderstanding your need it's pretty hard to beat HTTPS; rolling your own "secure" transport over vanilla HTTP or anything lower-level is just asking for a disaster.