I created an android app which uses Web Services (I use vb.net for developing it). These web services reside on my Server (I use IIS). If I open the HTTP path, associated to these WS, I can use it freely. But in this way, any other user can use my WS. How can I make it secure?
I would start with a client-authentication certificate. That way, if you don't have the certificate, you don't get in. And use https not http.
The basic way I can think of is setting a "password" or a string from your app, salted and encrypted, in case someone tries to decrypt it directly from the app, and doing a check on the Web service, and run the service only if the password matches.
Anyway if the information you use is sensitive and you want to make it really safe, maybe you will want to consider using HTTPS/SSL to avoid sniffing.
Related
I have a full application API written in node.js with Express.. Now, the API should be only accessed from my Android application, how can I protect the node app from outside requests?
If I use some kind of a password protection, I'll have to write that password in my android app and since the application is available to everyone, the password can be easily found.. What is the solution to this kind of situations?
Web based security can be a bit tricky sometimes, but if you have an app you could use a token-base approach.
When your application starts, it can request a token from your API, which then must be present in all other requests to your API.
Did a quick search for this kind of thing and came upon this page, which might be worth a look: http://thejackalofjavascript.com/architecting-a-restful-node-js-app/
I have an android application. The application reads data from my server and displays them to the user.
Now, the question is: How to prevent someone from making a bogus app and asking my server to send data to this app?
This wastes both my bandwidth and makes use of my content while allowing people to create competitive apps using my data.
As you know, trying to prevent reverse engineering is like trying to stop piracy: impossible. Android reverse engineering especially it's like stealing candy from a baby.
Use API Tokens. Possible solutions:
HTTP Basic Auth example (only if you are using https)
Query Paramter (like https://example.com/resource?token=3786428762) (also only over https)
HMAC - sophisticated and more complex to implement, requires substainsial redesign of the backend communication, but the most secure
But mind you, either way you need to somehow hardcode a key/salt/hash/password in your app which can be reversed engineered one way or the other. There is no real (practical) possibility in Android to avoid rogue clients from accessing your backend (especially in rooted devices).
I would recommend HTTP Basic Auth since it's the best tradeoff in effort, usability and security (It's also used by the majority of public apis) It's very easy to implement since you only need to send a hardcoded http header, it's supported by practically every http server and it does not change your API and pollute it with query parameter and it's also reasonably secure if used over https.
Make the server require an API key and obfuscate the key in your code, see this answer: Best Practice for storing private API keys in Android
If you use http server, you can use http auth basic
Basic access auth
You could use something like reCAPTCHA to verify that the client is not a bot.
So I am planning on building a web service that an Android app will connect to. I am trying to come up with a way to secure this web service so it will only be used via the App.
I was thinking just passing a secret key along with each call I make. But this can easily be compromised with an http sniffer. Then the web service can be used with anyone at that point.
Are there any other ways to make this work?
Thank you!
I don't know that you can FORCE Android only. Whatever method you use can be worked around if they know what it is.
Depending on how the app is written, it should be simple enough to check the User-Agent of the request. Apps that use the HttpUrlConnection (as recommended by the Android docs) should have a user-agent string that says Android in it.
I have a website which supplies data to mobile app.
Is there a way to identify myApp vs a cloned App?
So that I can block access of any cloned App.
On first time APP usage, I generate an APP ID, PASS CODE & Access URL
Where I change the PASS CODE frequently, but how to identify myAPP on the first access so as to be sure that I am issuing APP ID & PASS CODE to my own APP only.
What sort of encryption I can use for the first time access?
You can have a hardcoded key on your app code that only your server knows. Use it to create a hash signature, like md5(concat(key, deviceId)). When the requests arrive to your application server, you can do the same and compare the results. The clonner can't discover this key by sniffing your app requests. The only way to get it is by disassembling it, but it's much harder.
This is a simple suggestion, though. If you want a more sofisticated solution, check for HMAC wiki.
It makes sense passing a token via Push to an application (GCM for Android). Using that code can uniquely identify application, and cloned application could not reach that code.
We have an android and ios app which sends data and commands to a server with http webservice. How can i prevent the possibility, that fake-clients also can send something to the server? How can I determine serversidely if the data/command really comes from our apps.
You cant really prevent it. There are several techniques to make it harder for people abusing your services.
A simple check can be to check the user agent calling your webservice. Another pretty common one is to use a simple authentication via user/password authentication on your webserver. The username and password will be embedded into your app.
If you have enough time you should think about using a combination of this two methods plus authentication with a embedded ssl certificate. You simply could add this to your project and if someone really want to abuse your service, he have to extract this certificate atleast form your application.
There are some other useful techniques but you cant prevent reverse engineering or network sniffing.
Sincerely,
fuxx
The most robust solution is not to try. Techniques like DasFuxx's answer suggests can make it faintly harder, but someone can always decompile your application and get whatever secrets you have embedded in it.
Instead, follow the rule of multiplayer game development:
Don't trust the client.
Don't think about your application as the user interface. Think about your network protocol/API as being the user interface; then design that interface so that it cannot be abused.
It may not be possible to do so completely, but insofar as you succeed, you have true security (rather than fighting the same losing battle as DRM systems).
I would implement oAuth. See the following link for more information on how to implement such a solution.
You can't. It's that simple...