views:

76

answers:

3

Hi,

I have an Android application from which I want to upload some data to a database on my web server. As the MySql java library has a size of about 5 mb, I don't want to include it with the application. So I'll make a HTTP request for a php script and send the data with the URL as parameters. How do I make sure that only I can call this? I don't want people to sniff up the URL and call it outside my application.

Thanks

+1  A: 

The short answer: you cannot prevent sniffing.

But you can make sniffer's life harder by implement a some sort of internal authentication, GET/POST predefined parameters (or dynamic, but calculated by algorithm you only know how) exchange, hidden header fields, etc.

But all this could also be sniffed/reverse engineered.

A possible Overkill Way would be using some sort of asymmetric private/public key encryption/signature. Such as RSA. Your app will only include public key, and sign the request data with it. And your server-side will have a secret private key, it will use it to check validity of client requests.

zed_0xff
The private public key thing is the best way I know. The problem is that every body knowing the public key will be possible to donwload the data. And the key can be extracted out of the app with some effort but it is clearly not impossible.
Janusz
+2  A: 

Use a simple static token to identify the client is yourself or in an advance way, first authenticate with a username/password, generate a token and use this token for further transactions .This token can expire after some time.

option1: http://[your request url]&key=xyz where xyz is known only to you

option 2: first ping server with username password and upon successful validation get a dynamic token [dKey], store it locally. then for further requests. http://[your request url]&key=dKey.

option 2 is the one normally being followed.

Wind Chimez
Thanks. I generates a token that expires after 1 minute. That seemed to be the best way to do it.
Kaloer
A: 

I know very little about android - but it's not really relevant to the question.

If you want to prevent someone from sniffing the URL (and authentication details?) then the only option is to use SSL. On the other hand if you merely want to prevent other people from accessing the URL, its simply a question of authentication. If you're not using SSL, then that means you need to use sessions and a challenge-based authentication to avoid people sniffing the traffic. You could do this via digest authentication or roll your own code.

C.

symcbean