So I've been literally 2 months searching for this but nothing... Basically I've got an Android app witch makes HTTP(S) requests to a PHP server. Let's say I've got a URL to get some information: https://example.com/username/check/whaterver/, to access this URL you need to send over a token that you get once you're logged in. I have everythig all set, the only problem is that I know that people can see the requests made from their phones, let's say: URL: https://example.com Form-data: token=5456432145. What I need is a way to send the token to the server without the user being able to see the token.
I am not asking how to make a HTTP request between Android and PHP, I'm asking how to ONLY accept HTTP requests from Android and PHP
You can use/create a cryptography to send to PHP server and from server to browser of device. A cryptography mode will encode your token code.
Like: token=5456432145 to token=D37AG3H7183BAD2E6DGAS
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
I have a PHP server with some .php files. Swift iOS application send POST request to server and get some response in JSON. PHP files on server do some work with MSQL.
The question is:
How to provide good security when do some request?
I thinking to create some let API_KEY = "dakhye8k3id9" and send it with request to server. But is it secure? (Decompilers ect.). Maybe there is some other approach?
To give some string tokens is also not good idea because I store it in NSUserDefaults.
I have JSON file on my server(on my website).My Iphone and Android app use this JSON.
I would like to hide or secure json files from another websites or app.
Is it possible ?
The most common way to do this it´s by using a Token that signs every WS call.
You can generate this Token in many ways, the most extended it´s by password username encryption.
Users in App sends USER/PASSWORD by SSL secured connection to the server.
Server validates USER/PASSWORD and sends back a token that will be used to sign every call made now on, so the user doesn't have to be sending every time the USER/PASSWORD info.
You can also check how to secure your web service following this SO link.
Best Practices for securing a REST API / web service
Hope it helps. :)
I'm trying to write the server side of my android app that uses C2DM. I'm going to write it in php. I basically am just doing tests right now. I copied the chrome to phone example for the actual android app and modified it to my liking. Right now my biggest question is the registration.
Let me get everything straightened out.
When registering the device for the first time, the app talks directly to my server. The server grabs the deviceid and responds back with a 200. Right?
So, on the php side of things, I grab the device id like $deviceid = $_POST['deviceId'] Right?
add it to my database. then respond back to the app.. How exactly do I send a particular response back? I assume in the header? I'm unsure how to do that.
Please confirm or deny that I'm on the right track and clear up any confusion.
Thanks for the help.
You don't respond back to the app. You must register your server with google's servers to get a server authentication token. You then use that server token and the device token in a post request to google's C2DM service to have google's servers send a push notification to the phone. Your app and your server never directly communicate when a push notification is sent in C2DM, it is all done through google, yet you need to implement a mechanism for your server to know the device id of the device it wants to send a message to.
This is a pretty detailed guide, though the server code is in Java:
www.vogella.de/articles/AndroidCloudToDeviceMessaging/article.html
Make sure you have really gotten the IDs before sending to the server. If you are using an emulator for testing, you could do an echo over at the php script so the message will appear in your logcat.
Google refreshes expired registration IDs so your application should be able to pick up new notifications/ids from google and handle the message by sending to the database.
Is it possibile to update the status of facebook externally using a user's username and password with PHP. without any user interaction(like facebook connect).
Also without using curl.
I know there are come facebook mobile clients like snaptu. how do they access inbox, wall and our status just knowing the username and password.??
Thanks in advance
I don't know what you have against cURL, but you can do this with any HTTP client that can handle cookie (or that you can roll cookie support for).
However you should not even remotely consider doing this! Unless it's for a hacky script that will never leave your computer and that you use for your own account. You should never be asking for other peoples' passwords. Use OAuth.
Without using CURL or other POST requests it isn't possible.
How can you even think about not using cURL? All the FB API is exposed via HTTP, and if you don't end up using cURL, you will use HTTP anyway, and construct the HTTP request manually and send it via bare sockets.
And that's where cURL could use your job. But it's basically the same.
The apps you're mentioning are screen scraping the FB website and send the HTTP request accordingly - with cURL.