tags:

views:

866

answers:

5
+2  Q: 

Best way to get data into an android app?

Hi,

Just a little background. I am a proficient asp.net/c#/sql server programmer who has been learning Android for less than 2 days.

We have an existing .net website which stores a list of locations in MS SQL server 2008 and I'm trying to create and Android application that gets these locations and displays them on a Google Map.

The question really is how to get the app connected to the SQL database. I'm guessing there are a few options....

1) Some kind of direct connection between the app and the remote DB.

2) Creating some kind of middle layer using asp.net that would convert the data into something more usable to the Java code in the android app (bear in mind I know virtually NO java), in exactly the same was that we have .net code which supplies JSON to our web apps.

3) Creating some kind of web service to just return XML results from the web server. No idea how I would secure this so that only the Android app could request the data though.

Any help or advice on best practice would be really useful. I think I just need pointing in the general direction of a good strategy and I can work it out.

+1  A: 

No idea how I would secure this so that only the Android app could request the data though.

Your problem is bigger than that.

It does not relate to point (3) only, it relates to any possible approach you are going to choose.

  • If you expose any kind of data in the Internet, it can be accessed with an authentication, or without one.
  • If it's accessed with an authentication, its either one credential for each user, or one for many users.
  • Once a user has a credential, it can use it however he likes, you can't restrict it any more than completely blocking the credential itself.

Now, you are going this way, i.e. one credential that is valid for all users, i.e. the application has got it and it uses it to get the data. The fact that the user himself might not now it is irrelevant.

Remember: security through obscurity just doesn't work. Obscurity is only "one more annoyance" if you want to break, it's like a dark room with valuables inside: the darkness doesn't help, but it's no excuse for not having a lock. And someone is going to steal something soon, it's just a matter of time.

Lo'oris  2010-04-26 12:15:27
Is it not possible for me to give the app some kind of API key so that only it can access the web service? Isn't this essentially how the API keys for the Google maps service for Android works?
jonhobbs  2010-04-26 15:19:53
It's not logically possible. Anything inside the app can somehow be accessed by the user (through reverse-engineering in the worst case).
Lo'oris  2010-04-26 16:00:29
So, theoretically the same could be said of Google Maps right? I need my data to be fairly secure, but if nothing is un-hackable then I'm sure this approach is as good as any.
jonhobbs  2010-04-26 16:44:56
Google Maps isn't magic, so yes, this is valid for everything, it's simply logically impossible to do otherwise. If you need your data to be secure, then **don't to it this way**. Simply because it won't be secure, so it's as good as you just let it open to everybody.
Lo'oris  2010-04-26 17:51:20
When you say "don't do it this way", what is the alternative? how can I get the data from my database to an Android app? Even if the app had a direct link to the database using a connection string it would still have to store a password. Presumably the reason Google do it this was is because there is simply no alternative!
jonhobbs  2010-04-26 18:20:33
You should make your data available for reading, either with an sql user with limited powers, or with an external interface. Don't bother using insecure credentials, because they're pointless by definition. If you also need to be able to write either allow *everyone* to write, or have the users login with a personal user+password. Again, having an insecure system is as good as not having any security in the first place.
Lo'oris  2010-04-26 18:57:41
A: 

Native LDAP support for Android could arrive pretty soon(Lots of people want it) , that could help for security (ie using your Exchange Server to validate different user credentials instead of using one for the app)

In the meantime, it is true that the data might be more accessible than it should. Is it sensitive?

gatnowurry  2010-04-26 12:45:22
+1  A: 

Your security problem is one of network infrastructure and protocols, not of Android. OAUTH is emerging as a standard way of doing this, and using Google as an example, perhaps a better analog would be access to Google Docs?

more here:

Actually implementing the handshake, etc could take a bit of work depending on just how secure you'd like to make it. Again, this isn't really an "Android thing" so much as it is an architectural challenge first, and once you've made some of those architectural decisions you can actually implement what you've decided to do on Android or anything else.

Conceptually, exposing your data through web services and consuming them down the line from your UI is fine. You've just got to nail down what your security strategy will be, OAuth or otherwise.

slf  2010-05-13 19:07:28
I think the thing I'm having trouble getting my head round is that in my asp.net websites I just put a database connection string in, including an IP address, the code is compiled so that the connection string is hidden and off I go, direct access to the DB with no web service sitting in between. Why can't I do that in android, is it just a "best-practice" thing or is it not possible?
jonhobbs  2010-05-13 19:46:16
As you probably already know, accessing databases require drivers. To my knowlege, android devices don't have these drivers, your server probably does. If it's just JDBC/SQLite you need, you can do that http://code.google.com/p/sqldroid/
slf  2010-05-13 20:20:30
Thanks. I think a web service is the only way to go but I'm going to look into Oauth and public key cryptography before I make any decisions.
jonhobbs  2010-05-13 20:43:16
A: 

You cannot actually connect to a remote DB, especially if it is a MS SQL database (android can only deal with SQLite).

Your best option, knowing that you want to secure your data, is to build a Java Interface on the server side, who would have access to your database.

Then, you can do some RMI or you can use sockets to send and receive data (including encrypted data).

Moons  2010-05-13 20:05:47
A: 

Beneath your problem securing the data the things I would do to solve your task would consist of the following steps:

  • Use a json web service to communicate between the mobile device and your db. A db connection would have to be reestablished every time you access the db because of the flaky network connection of mobile devices. The web service nicely wraps a single question to the db.
  • Use google gson to parse the json into java data objects to handle them in the app.
  • Create a Mapview with your own overlay to display the items on the map.

The security thing is a problem I thought about a lot. If you want to restrict the access to the database you need the app to have some kind of key to authenticate at the web server. The problem is that somebody could just open up you app and look for this key and then remodel the traffic used in you app. You can use the key to do a https connection to your web api this prohibits other from tapping into the network connection but the person owning the phone always can access the key.

You always can make it more difficult for the attacker but you can always fake being a phone app because the auth tokens need to be on the phone. Some ways to make it more difficult are:

  • encrypt the key inside your application this makes it harder for fast searches inside your class files and easy extraction of the key. But is only one more layer of hiding, because the key to decrypt has to be in your app as well.
  • generate a second key based on the phone data, add a hash of the imei, the phone number etc. The problem is that this data has to be initially registered at the server, therefore it can simply be faked.

If you simply want your data to be secured from harvesting through a bot make the server only respond to request that seem to come from a mobile phone. Block single IPs that make hundreds of calls to the web service etc.

Janusz  2010-05-14 08:23:41

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?