I retrieve data from an external server for use with my android application. I would like this data to be only accessible with my app. I use a standard http connection to get the data from apache/php server in json format. I also send some params to the server to retrieve relevant data. Now, what I'm planning to do is:
Now, the question is - is it a safe approach regarding the reverse engineering? For now I can think of no other possibility to get this data. But if someone is able to decompile my apk, he will be also able to retrieve this "someSecretPhrase" (rather hard to do on the server side) and then access the server, isn't he? Is it a real threat? Is there any other possibility to authenticate my app by the server?
I looked at the forums eg. Identify whether HTTP requests from Android App or not? and then respond appropriately, but they don't explain the decompilation problem.
You get a header / message from a device. All you know about the device is in the header and the device can write what it wants in it. If you are talking about http requests (which is indicated by agent lookup) you can look at a header here: All you can do "reliable" is to look for the user agent.
From the Android Studio navigation bar, select View > Tool Windows > App Inspection. After the app inspection window automatically connects to an app process, select Network Inspector from the tabs.
Essentially, you install Charles on your computer, tell your Android device to use that computer as a HTTP proxy, and then all requests will be sent through there, allowing you to see the individual requests made through apps.
One of basic rules of security is: you don't trust client data. Ever.
You should consider your app decompiled, all "secret" keys known to attacker, etc.
You can, however, hinder attacker's attempts to forge your requests. Sending (and verifying) checksum of your request is one of methods (your idea of MD5(secret_key + params)
).
You could also switch to a binary encrypted protocol. But this requires MUCH more work and quite a different architecture of server.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With