Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Check if http request comes from my android app

Tags:

android

security

php

md5

I retrieve data from an external server for use with my android application. I would like this data to be only accessible with my app. I use a standard http connection to get the data from apache/php server in json format. I also send some params to the server to retrieve relevant data. Now, what I'm planning to do is:

  1. Send the params
  2. Send something like md5("someSecretPhrase"+params).
  3. Check if the secret phrase is correct on the server side.

Now, the question is - is it a safe approach regarding the reverse engineering? For now I can think of no other possibility to get this data. But if someone is able to decompile my apk, he will be also able to retrieve this "someSecretPhrase" (rather hard to do on the server side) and then access the server, isn't he? Is it a real threat? Is there any other possibility to authenticate my app by the server?

I looked at the forums eg. Identify whether HTTP requests from Android App or not? and then respond appropriately, but they don't explain the decompilation problem.

like image 650
Michał Klimczak Avatar asked Dec 28 '11 00:12

Michał Klimczak

People also ask

How can I tell if a mobile request came from?

You get a header / message from a device. All you know about the device is in the header and the device can write what it wants in it. If you are talking about http requests (which is indicated by agent lookup) you can look at a header here: All you can do "reliable" is to look for the user agent.

How do I see network requests on Android?

From the Android Studio navigation bar, select View > Tool Windows > App Inspection. After the app inspection window automatically connects to an app process, select Network Inspector from the tabs.

How can I trace all API request made through my Android app?

Essentially, you install Charles on your computer, tell your Android device to use that computer as a HTTP proxy, and then all requests will be sent through there, allowing you to see the individual requests made through apps.

1 Answers

One of basic rules of security is: you don't trust client data. Ever.

You should consider your app decompiled, all "secret" keys known to attacker, etc.

You can, however, hinder attacker's attempts to forge your requests. Sending (and verifying) checksum of your request is one of methods (your idea of MD5(secret_key + params)).

You could also switch to a binary encrypted protocol. But this requires MUCH more work and quite a different architecture of server.

like image 179
Sergio Tulentsev Avatar answered Sep 28 '22 10:09

Sergio Tulentsev
Sign in to Comment

Related questions

CURL HTTP Authentication at server side
PHP header for xml with utf-8
what is "php://input"? It mainly seen in webservice
How To Develop A Database Schema For A Tree Structure(Directed acyclic graph)
ajax post within jquery onclick
Woocommerce: custom price based on user input
cURL works from Terminal, but not from PHP
If and else if in PHP, colon style
How do you find the underlying class behind a Laravel facade?
how to retrieve wp error in custom login form
Simple html dom parser return error 500
The resource owner or authorization server denied the request
Cookies across subdomains and hosts
PHP error log and newline chars
Mod-Rewrite or PHP router?
Which should generate the HTML: JavaScript or php?
PayPal IPN on port other than 80
bind_result into an array PHP mysqli prepared statement
Scope of declared function within a function
Optimizing mysql fulltext search

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!