tags:

views:

42

answers:

1
+2  Q: 

Android application security when accessing a web service.

I'm building an Android application that needs to communicate with a MySQL database. The application isn't meant to be published, and I want the application to be the only thing allowed to interface with the web service I'll create for DB access.

I've been thinking how I can secure the system, and this is the idea I've come up with. I'd appreciate any feedback or other ideas. Surely there is a method built into Android that I am unaware of.

My thought is to give the web service a GUID. Each time a call is made to one of it's public methods, the web service matches its GUID with the GUID given to it by the Android application. If the GUIDs do not match, the web service refuses access. In short, my system has a 128-bit password.

A: 

If you trust the individual to administrative your database then everything should be fine. The most important change is that all of this communication must be done over HTTPS. If a hacker sees this traffic your database will get hacked.

I would still use a username/password combo to access the system. I recommend using the existing mysql.users table with the MySQL password() function. This GUID sounds identical to a cookie, and I would seriously consider using an existing session handling system such as php's session_start() instead of rolling your own. Re-inventing the wheal is bad, especially when it comes to security.

Rook  2010-08-04 19:37:09
There isn't an individual and there aren't user accounts. Only one phone will be running the Android application. What I want to do is somehow limit anyone else from making calls to my web service.
Quenton Jones  2010-08-05 15:34:27
@Quenton Jones https and a password will do the trick. If your the only one then you could use a hardcoded password and check it on your server (like your uuid).
Rook  2010-08-05 15:36:54

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?