My application need to communicate frequently.
So there are many url: http://abc.php
The question is even if I use proguard, is it possible for people to get the url and hack in the system.
What should I do so that it can hide the link and make my system more secure.
You can't. Any one can get you app and use sniffers to check where your application sends request. You should provide good security on server.
Any URL or web service you are sending them to should only be for uses such as JSON/XML requests. There shouldn't be anything that critical in a wide open base URL. If there is then you have problems to begin with. Plus you may try to hide your URL, but with simple networking tools attached to the application it would be very easy to sniff the IP address and do other public functions to look-up the url. Any URL you have would be public, thus you need to take security measures on another end.
Related
Our company's app is mainly a webview embedded in the android/iPhone native app. In some area, the dns lookup always failed which results an error in opening our webview page.
We have found a technology called HttpDNS which can solve the pure native app's dns lookup problem, as it can send a http request by the ip(fetched from the HttpDNS) not domain, and set the domain of http header by hand. However in webview, we can't do that.
So is there a way to solve the dns problems in webview? Thank you (We found that we can set a proxy in app which can solve the dns lookup problems but this method is not so novel. ).
You can either:
Detect the page load failure and retry
Provide a custom delegate that intercepts each request, performs the lookup, loads the content using NSURLConnection/NSURLSession, and then injects the content into the web view.
Neither approach is perfect, of course, as both are effective only if the user is loading a page that replaces the current page in the web view (as opposed to random XMLHTTPRequest calls).
And then, there's always:
Swizzle NSURLConnection and NSURLSession, rewriting the request objects based on the result of your own lookup code, and overwriting the Host header field.
Although this does have the advantage of working even for XHR, I would tend to recommend against this approach for publicly distributed apps, though, for three reasons:
Apple says not to touch the Host header field, which means future OS updates could break the behavior (assuming it even works).
It is really easy to break things if you swizzle those classes incorrectly.
It will change the way those classes behave for every request coming from your app, not just requests made by the web view.
Of course, you could avoid the first problem by adding libcurl and using that to perform the actual request, but then you're getting into seriously scary compatibility territory. :-)
You might be better off trying to find out why the DNS lookup is failing. Is it being blocked locally by an abusive ISP or government? Can you add VPN technology to your app so that requests for your URL (and DNS lookups) get routed through a tunnel?
If it's using HTTPS? A standard GET request to a particular URL. If they still can, how can I obscure it?
If you use http client method to send or fetch data than client can't get that url
It is always possible to find out the IP address and the port. The path part of the URL can be hidden by using HTTPS.
If an intelligent user has rooted their phone, anything goes. You can use Proguard to obscure your code to make it more difficult to reverse engineer.
I'm devepling and android application that should connect to an application server.
What I'm asking about is, should I write the url of this application server statically inside the code or is there a way provided by android to dynamically change the url if needed ??
Taking into consideration that once the app is uploaded on play store, the application server should reserve the address and never change so as not to affect the android app.
I'm just asking about best practices in those situations.
Thanks all :)
Although that would be nice, it might not be worth the hassle. I think it's fine to code in the URLs as they are currently. If for some reason you change the endpoint, try and make it so you send an error saying that the user needs to update the app (and release a new version with the updated URLs). It's also a nice way of indirectly getting your users to update to the latest version so you don't have many to maintain!
Also, if your server moves, it's still not a problem, since you'll still be using the same domain name to point to your server!
(This is assuming that it's still the same domain name, and it's just the endpoint changing, and you don't need to reuse the previous endpoint for something else. Yeah, quite a few assumptions :) )
It is best to consider that your server will be relocated in the future, because you never know. Unless you are willing to upgrade your application anytime it happens, dynamic configuration is the best approach.
You can write the URL of the redirect server in the code, and have that server redirect to different URLs as required. The redirect "server" in its simplest form can be just a text file stored on your company's website, for example.
I am creating an application which has to track http requests made by a given application. Android has many widgets like weather report widget, stock market report etc, which often makes request to server to get the data. I want all the request url made by an appklication to the server.
Can we log the url when an application accesses network/wifi or any other data service provider ?
Any help would be appreciated.
Can we log the url when an application accesses network/wifi or any other data service provider ?
Fortunately, no, for obvious privacy and security reasons. Malware authors would be very interested in this capability.
You can use open source proxy servers made in java for example jHTTPp2.It is having good implementation of proxy server logic.
All you need to do is just start the server from any android application and set proxy in your emulator or device to 127.0.0.1 and port as 8088(as by default the jHTTPp2 runs on that port).
You need to make some modifications to the proxy code as per Android requirements.
I hope this might be of some help to you.
I have an Android App which uses http communication for nearly every operation. I want to be able to demo without connection to the internet by somehow replaying the http exchange. How can this be done? So I want to somehow almost like mock objects but really mock http session so I can always demo the app on or offline. This is really a very cool thing to be able to do. Since you can demo the app easily and reliably. Does anyone know how I could do this. Replicating the whole server side is just not an options its got too much stuff. Its important not to just show screencast but the real data exchange. I just want to be able to run thru the app and replay. Maybe debug as well. Thanks
Here's a hybrid solution using similar ideas from other answers:
You could write a dead simple HTTP server that listens on "localhost:80" (or whatever the port is on the server you're targeting) and point your application to this host instead by factoring out the host name from requests. Your local server has a reference to the actual remote server and does the following:
If ONLINE, forwards the request as-is to the real server, gets the response, saves it locally either in an in-memory cache keyed by the request URL or a file named with the URL as its identifier (munged appropriately)
If OFFLINE, looks up a request in its (in-memory or file system) cache and returns the contents from the cache instead
This is kind of like the record/playback mode that #nicholas.hauschild says.
Now you can just run your app once when ONLINE, causing your localhost server to save away requests that it issues against the real server. Then when you run your app OFFLINE, it just returns these cached contents instead whenever the same URLs are issued.
Hope this helps.
If you're device is rooted, you can use tcpdump as explained in this post: http://www.vbsteven.be/blog/android-debugging-inspectin-network-traffic-with-tcpdump/
or use AndroShark (get if from xda-developers here: http://forum.xda-developers.com/showthread.php?t=725692)
or this one (wifi only): http://www.9bitlabs.com/default.aspx
I would create a "Record Mode", and a "Playback Mode" for my app.
While in Record Mode, I would write out a file each time an http request was made. The file would be named by the endpoint the request is made. The contents of the file would a collection of serialized http requests/responses broken up by line. You could then deserialize lines from this file until you find the proper request, and play back the deserialized response.
This approach would also allow you to create Record/Playback profiles, where you could record multiple different sessions (by placing the files into a different directory) and then playback from whichever profile you choose.
This whole approach could be done with a small wrapper class around the HttpClient object you are using.
One way would be to use an HTTP proxy. Redirect all web traffic to the proxy, which can be running locally on the phone. This could be done with little or no source code change.
find a way using fiddler on pc,and android app take fiddler as proxy.So the http traffic is record.
http://blog.csdn.net/grhunter/article/details/5830199
Simples solution lies in faking it when there is no connection. If there is a error in connection, make sure ur app throws some preset data rather than an error in connection thing.