I have a security-related question - I'm developing an app that populates its database by using a PHP script on a remote server. I wouldn't like to make the PHP script publicly available, but just use it from the specific mobile application (written with TypeScript using the Ionic Framework). How could I accomplish this?
Make your mobile application to provide with the query some kind of secret string / token. And your server side PHP script will not proceed without valid token provided from the request.
The token can be part of your POST/GET/HTTP header or so.
What I've done in the past to achieve something like this is to setup an API key system. You generate API keys server-side, and you lease out valid keys that you have generated to your application(s). You would then use that key in your application, and that would get sent to the server and parsed by a php script whenever you call the script from your mobile application. If the key is valid, then the request is valid.
There are some security considerations to think about, i.e what happens if someone gets your API key? Are you logging remote IP's (and fully qualified domain names) and API usage, will your system be able to invalidate the key whenever necessary? Is the API request utilising TLS connections?
Related
So I am building a phonegap based application and I'd like that application to get it's information from a source using a http request to this source. This source however, must only be able to deliver data to this specific source and no info to any other source what so ever.
I can surely add parameters to the request, however, these parameters can easily be found by decompiling the application file. Is there a possibility for the server to know that the source indeed is my specific application without having to hardcode any kind of key into the app that easily can be obtained?
This all is to ensure that only this app can use a service and somebody else can't make use of that api.
You can't really secure your app with a login/secret embedded inside your app. But if you craft a token system that delivers an access token back to a user upon identification of that user. Bottom line, you need to start with a register/login screen.
I recommend this lib for php, and the Client Credentials grant seems like it would be what you want, see grant types
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.
My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.
Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?
Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.
The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.
As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.
Https
As you point out, this is an important part , as it prevents sniffing.
Sessions
Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).
Fingerprint
Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )
Obfuscate requests
Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2
Encrypt
This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.
Use unique shared secret
You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.
I'm building an App who access a MySQL database from my server, and I'm sending the data from the app and receiving the PHP response from the server. I'm trying to create a Login system for this App using this database.
What's the process? What's the best practice for build this?
You will have to store some kind of session value in your app and send it with your requests. You may be able to utilize PHP sessions to do this, but what I usually prefer to do is create database entries for API keys. On a successful login an API key is generated for that user and stored on the device. Then on each request you will pass the username/api key combination for authentication on the server side. This method will easily port over if you wish to expand your codebase into android/blackberry/toaster ovens. It makes for a very portable authentication system. Also, this keeps you from having to store the password on the device, which is a security concern.
This is how one programmer chooses to do it.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start