开发者

Thinking about security of an Android web service

开发者 https://www.devze.com 2023-04-02 19:57 出处:网络
I have been asked to write an android app to connect to a http server. I did this by creating a web service and sending JSON data to a PHP script on the server which opens the desired database and the
相关专题:androidjsonphpweb-services

I have been asked to write an android app to connect to a http server. I did this by creating a web service and sending JSON data to a PHP script on the server which opens the desired database and then inserts the decoded JSON objects.

Now I am thinking about security. First of all the app will be propr开发者_JS百科ietary, not on the ANdroid Market, but I am worried about two things:

  • someone with a phone not in the company somehow gets the app. He can then manipulate the DB. Or the company loses an Android phone and a malicious person tries to ruin the DB.
  • someone using the PHP script without an Android phone and manually inputting JSON data, e.g. from a PC browser (I dont know if this can be done.).

To counteract the first possible problem I intent to use the ANdroid phone's serial id.

   TelephonyManager tm =   (TelephonyManager)activity.getSystemService(Context.TELEPHONY_SERVICE);
   String id = tManager.getDeviceId();

I will put this in my JSON object and send it to the server, decode it and check against a database table of valid id numbers.

Is this a good idea?

I don't know what to do about the second problem. Any help would be appreciated.

Actually both problems are related to each other. You need to guarantee, that only people with appropriate privileges are allowed to use your PHP script. To do so you need to make authorization system. All of them requires some verification data to be sent from client, so it has to be either stored in phone or typed every time by your users. For example it can be simple login/password authentication. You can store such information on your phone in encrypted form, but there's no way to guarantee that if someone get his hands on the phone he won't be able to use this application. If you want to avoid that, you can't store the password - you have to ask the user about it every time.

Oh, and as for your idea with sending phone's unique id - it can be easily extracted from the phone by the hacker, and later he can use it to call your php script manually. There's a simple rule - if you're storing any authentication data on the client, skilled person can always extract it and use it to connect to your system.

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

    关注公众号

    热门标签

    图文推荐

    Delphi - Custom drawing a message list

    Delphi - Custom drawing a message list
    C++ header-only include pattern

    C++ header-only include pattern
    IE7 Margin Collapses Into Padding

    IE7 Margin Collapses Into Padding
    in CoffeeScript, how can I use a variable as a key in a hash?

    in CoffeeScript, how can I use a variable as a key in a hash?
    Interactive visualization of a graph in python [closed]

    Interactive visualization of a graph in python [closed]
    How to customise PHP MYSQL tables?

    How to customise PHP MYSQL tables?
    High quality, simple random password generator

    High quality, simple random password generator
    Image Recognition ApI in android

    Image Recognition ApI in android

    开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

    法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

    Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9