I have RESTful http api that my android application communicates with. Is there any way to ensure whether the request are made only from my application?
You could add custom http header at your applicaiton, and check it at the server. Though, this header might be sniffed and forged by malicious user. Then you could go further and do some public key authentication.
There isn't a 100% proof way to do what you want. You can monitor the user agent header, which will have specific values for Android devices. However, you could still see some Android devices not using an appropriate header. Also, no one stops a PC client from sending an Android-like user agent header.
You can do it with IP configuration, make a check with your IP. You can configure IP using your application server's configuration file or do it with pro-grammatically in your rest WS.
Related
I'm trying to create some sort of SDK that we intercept each request from my app regardless of which HTTP client it's using (be it native HttpURLConnection, OkHttp, Retrofit etc.). And including traffic from third-party libraries like Firebase Analytics etc.
I need to intercept and check few parameters then decide whether to allow or block current request.
I don't want to use any Custom VPN as it has some side effects like showing system level Notification and all traffic from the user device.
Is it possible to capture all requests by setting app level proxy?
If possible, How to achieve it in code?
You can use Retrofit
The retrofit will save your development time, And also you can keep your code in developer friendly. Retrofit has given almost all the API's to make a server call and to receive a response. internally they also use GSON to do the parsing. you can go through this link you will get more info Alos you can see the difference with other libs
You could give a try to implement a custom VPN with https://developer.android.com/reference/android/net/VpnService. With this you should be able to control which traffic is allowed to access the internet and which not. As you wrote, that you'll create an SDK, the implementors should know the side effects of VPNs in apps (ongoing system notification, every traffic is routet through that VPN, etc.)
I want to ask about the security of web application.
I'm developing on web site for an inventory management system by web service.
And wrapping as android application with the webview.
But my client ask the website can be opened in android application only.
I think it is possible with agent header when web server response to request.
But it just a makeshift.
So is there any way to check the website is opened in browser not authorized application?
I used spring boot for web server.
This is not possible. Once you expose an endpoint publicly, you can always try to connect to it with whatever software supporting the protocol (or an analyzer which will reverse-engineer the protocol).
This said, you can make it difficult by obfuscation.
One solution is to use information provided by the client (browser in your case). This is usually the agent header (as you mention) but can also be some fingerprinting. You could for instance detect the size of the screen and make some decisions from there on.
Another solution is to use some secrets (better call them "secrets") to show the backend application (or API) that some specific code is calling. I can imagine that you could bundle the HTML/JS/CSS code in your application, together with a key so only the application owners will be able to send a recognizable traffic (recognized by the backednd).
All of this is more or less difficult to crack but with some layers you will get rid of at least some population which would like to access the site via other means than an app.
On my server, I need to ensure that I receive connections only from android devices.
Is it possible? To store client cert for this in custom android assembling that is resistant to rooting ? Or I can hide absolutely nothing on rooted device? And can not avoid rooting by any means(for ex providing my own android assembled firmware)? Cause even if I set program root checking - the app can be rebuilt by 3d party to avoid this check. Any usefull ideas appreciated. Thx in advance.
1) OAuth2 is authentication and authorization protocol which is broadly used by largest and even smaller companies. Think of Facebook API. If a user is not authentication nor authorized to make that call, you can drop the inbound request. That's one method.
2) Second method would be to add your own user agent to your HTTP header and other custom HTTP headers. If your server checks on these headers, then you can drop the inbound requests.
You don't have to store the SSL certificate on the client as the client would initiate a secure connection with the server that has the SSL certificate.
Anyhow, using a certificate client side could be okay to encrypt data but I don't believe Android Java has support for that. Correct me if I'm wrong. If you do happen to encrypt data with that key, you could encrypt a certain String or bytes that you can parse into one of your custom HTTP headers but if someone finds out what the encrypted String would be, he/she can still fake a connection. However I do not recommend to store your SSL certificate on the client's device.
Regardless of what you might do, there's always a way to fake a HTTP/HTTPS connection like it's coming from an Android device but you can narrow down the incoming HTTPS requests using these two methods and make it much harder. An example would be Pokémon GO. There are plenty of unofficial APIs on GitHub who can fake a connection like it's coming from the official app.
In my own app, I'm using various 3rd party SDKs that make network calls( HTTP requests) in some form or other. Without editing this code, can I write code separately within the application to intercept all GET and POST requests that my app is making?
I want to record these HTTP calls in my app
I am aware of using Fiddler and Charles proxy tools but that is outside the app but this won't work because I can't record these HTTP calls in my app.
Is there a way to do it?
EDIT: I am using Google Analytics SDK and Facebook SDK in my code. I want to monitor all the network calls these SDK's are making from my app
On non rooted phone you can use android OS proxy and redirect traffic. But some apps doesn't respect it. Makes direct connections. Some tweaking could be done. Use Drony with VPN mode to redirect all traffic to SandroProxy. Here is video how capture then traffic with SandroProxy SandroProxy with Chrome devtools SandroProxy can also capture pcapfiles. Can also make ssl mitm on pcap flow. from SandroProxy support
Try HTTP Toolkit - it's an open-source tool I've been building to do exactly this. It can automatically intercept traffic from an Android device, with no manual setup required, and then allows you to inspect & rewrite all HTTP traffic from your computer, like so:
To intercept HTTPS traffic from your app, you just need to either a) trust 'user' certificates in your application's network security configuration (see https://stackoverflow.com/a/38770284/68051) or b) use an emulator or rooted device (in which case HTTP Toolkit can inject a 'system' certificate, which your app will trust automatically).
Charles proxy is a good way.
Others include if app is using singleton network class (which it ideally should), make one function for get and one for post. Call these functions from your classes and use log.d to output data on console. You can track request response or time taken.
If you are specifically looking for your app to be capable of recording the HTTP calls.
Android Snooper library can be the solution you are looking for.
Have you considered Stetho?
http://facebook.github.io/stetho/
You can monitor and modify all incoming and outgoing requests, among other things.
https://github.com/jgilfelt/chuck/
it adds a new app that send notifications each time a network request is made, and you can see the details of the request.
https://github.com/facebook/stetho
it allows you to use the chrome dev tools to monitor your requests created from an android app. (among other cool features)
If you root the device or running over debug (adb), then maybe this will help:
http://code.tutsplus.com/tutorials/analyzing-android-network-traffic--mobile-10663
Else I don't think its possible to do what you want to do. But you can monitor general network stuff like:
For all traffic stats see:
https://developer.android.com/reference/android/net/TrafficStats.html (just pass in your apps user id)
For monitoring network status:
https://developer.android.com/reference/android/net/ConnectivityManager.html
You Can use this as the better option. Remember to scroll down the app and check network intercept is on.
Link is here https://appetize.io/upload
I have a backend server, and want to provide an SDK for connecting to that backend server. The sdk is going to be built for iOS and Android and will ship as a library separate for those platforms.
The problem is I want to make sure that the requests are sent only using the sdk that I provide. Basically everybody knows that it is possible to monitor WEB requests using proxy applications like Fiddler or Charles proxy. And it is possible to usurp the requests and send those requests manually as many times as one wants.
For my scenario should be made impossible. So I need a way to identify in the backend that the request that I've received is for sure sent from my sdk. How can I achieve this?
EDIT1:
I can guess something like digipasses may be used. For instance when I log into my bank account I get one time password and log in. But that is based on time, and I can not count on the time of device. May be we can reuse the concept.
Thanks for answers!