security for android app in communicate with webservice

Question

I am developing an android app for a site, which I made a capability in it that users can send data to the site database in the app. I use PHP web services and URL in android code for connecting to the web service. how can I make my app (and my php web service) secure that no one can't find the web service url by debugging my apk and send amount of data to the site and make the site down.

any tips for make software system secure from these kinds of dangers can help me a lot, thank you.

edit : for example now I use AsyncTask for sending data in my edittext to webservice like below. I use this code in my oncreate to send data to AsyncTask class in the name of AskServer() :

link = "http://mywebservice-adrress/name.php";
new AskServer().execute(link, edttext.getText().toString());

and here is my doInBackground of my AsyncTask class :

@Override
    protected Object doInBackground(String... params) {
        BufferedReader buf = null;

        try {
            URL link = new URL(params[0]);
            URLConnection connect = link.openConnection();

            connect.setDoOutput(true);
            OutputStreamWriter osw = new OutputStreamWriter(connect.getOutputStream());
            String data = URLEncoder.encode("field","UTF8") +"="+ URLEncoder.encode(params[1], "UTF8");
            sw.write(data);
            osw.flush();
        } catch (Exception e) {e.printStackTrace();}

        return null;
    }// end doInbackground()

and here is my php code in my web service :

<?php

include 'config.php';
$field=$_POST['field'];


mysql_query("insert into `wp_comments` (`comment_content`)
                    values('$field')");
?>

It is an example and my real code send much more data to server, and maybe code above doesn't work, I just make my question more exact and specific as stackoverflow want me. my question is how to make these transactions safe and secure from hackers which may debug my code and find my url , in code above (params[0]) and send amount of data to my site and make it down. or how can I use the service of sending data to server more secure from these kind of dangers??

Answer 1

You cannot hide the endpoint in any way (you can try, but you will fail). If the app can request some URL everybody can. You could have a look at services like cloudflare, but you should look into the actual security of your application instead.

Your question "send amount of data to my site and make it down" doesn't make much sense in relation to your question. Why would sending data to your server make it go down?

Unless you are asking about how to mitigate (D)DOS attacks which is a whole other level of prevention (with moderate success using expensive services).

What you should worry about more instead is the actual security of your application, e.g.:

$field=$_POST['field'];


mysql_query("insert into `wp_comments` (`comment_content`)
                    values('$field')");

is vulnerable to SQL injection.

Also not shared here, but you could look into authentication for your application's endpoints using e.g. oAuth so that you don't have to store username+password in the app itself, but "just" an access token which you can easily revoke.

Answer 2

In general, the other answers to your question are correct: it's difficult to ensure that only your application can make use of your server's API. The crux of the problem is this: nothing prevents a malicious user from pretending to be your application. Most countermeasures are what is known as "security through obscurity". Examples include:

1. Using an undocumented "binary" request format: with enough time, a malicious user can simply reverse-engineer your binary format.
2. Hiding the address of the API endpoint: malicious user can just sniff the request as it passes from your application through the network that he controls on its way to your server.
3. Requiring a cryptographic "signature" to be provided on each API request: malicious user can just reverse-engineer your application and find the cryptographic key that is being used. (A technique known as "white box cryptography" tries to make it difficult to extract the key from your application, but it merely slows down a determined adversary.)

There is however one method which could theoretically work with newer Android devices: use the built-in Keystore system, which is designed to prevent malicious users from extracting the cryptographic keys used by your application. Brief overview of what you would need to do:

1. When your app is first installed, generate a new public/private keypair using the KeyPairGenerator as outlined in the example "NIST P-256 EC key pair for signing/verification using ECDSA".
2. Once the keypair has been generated, send the public key to your server, which will store this key in your user database.
3. When your application wants to make an API call to your server, it needs to sign the request with the private key; and the server needs to verify this signature using the user's public key. If the request does not have a valid signature or the signature cannot be verified, your server must refuse the request.

No matter what the malicious user does, once step #1 has been completed and the private key is safely stored in the Android device's Keystore, there is no way to extract that key and use it to impersonate your application. Unfortunately, even this method has a critical weakness: how can you verify that the request in step #1 (where your application registers its secure public key with your server) is being made by your application?

So for all practical purposes, you'll just have to live with the consequences of exposing an API on your server and take whatever steps you need in order to protect that API from abuse.