tags:

views:

76

answers:

3
+2  Q: 

Protect HTTP request from being called by others

Hi,

I have an Android application from which I want to upload some data to a database on my web server. As the MySql java library has a size of about 5 mb, I don't want to include it with the application. So I'll make a HTTP request for a php script and send the data with the URL as parameters. How do I make sure that only I can call this? I don't want people to sniff up the URL and call it outside my application.

Thanks

+1  A: 

The short answer: you cannot prevent sniffing.

But you can make sniffer's life harder by implement a some sort of internal authentication, GET/POST predefined parameters (or dynamic, but calculated by algorithm you only know how) exchange, hidden header fields, etc.

But all this could also be sniffed/reverse engineered.

A possible Overkill Way would be using some sort of asymmetric private/public key encryption/signature. Such as RSA. Your app will only include public key, and sign the request data with it. And your server-side will have a secret private key, it will use it to check validity of client requests.

zed_0xff  2010-06-18 10:47:12
The private public key thing is the best way I know. The problem is that every body knowing the public key will be possible to donwload the data. And the key can be extracted out of the app with some effort but it is clearly not impossible.
Janusz  2010-06-18 11:11:05
+2  A: 

Use a simple static token to identify the client is yourself or in an advance way, first authenticate with a username/password, generate a token and use this token for further transactions .This token can expire after some time.

option1: http://[your request url]&key=xyz where xyz is known only to you

option 2: first ping server with username password and upon successful validation get a dynamic token [dKey], store it locally. then for further requests. http://[your request url]&key=dKey.

option 2 is the one normally being followed.

Wind Chimez  2010-06-18 10:58:15
Thanks. I generates a token that expires after 1 minute. That seemed to be the best way to do it.
Kaloer  2010-06-19 07:53:34
A: 

I know very little about android - but it's not really relevant to the question.

If you want to prevent someone from sniffing the URL (and authentication details?) then the only option is to use SSL. On the other hand if you merely want to prevent other people from accessing the URL, its simply a question of authentication. If you're not using SSL, then that means you need to use sessions and a challenge-based authentication to avoid people sniffing the traffic. You could do this via digest authentication or roll your own code.

C.

symcbean  2010-06-18 11:54:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases