I want to ask if anyone knows a way to access only from my self-written android application my server. The android application is accessing the data over http request (POST), still there could be another person which will find the link of xxxxx.php and accessing the data from another place (not my own android application).
What I already did is, that the data is only accessible when all the parameters which are needed are given and a special generated key (Which will change under special conditions). Still this key does not change every second or minute, so when the attacker has now a key, he could still access my data for some time.
So is there a way to limit the access of my server by my application?
This cannot be done. It is an impossibility. You cannot control the client.
The best you can do is embed some secret information in your app, and try to hide it from others. A smart hacker will root their phone, and attach a debugger to your app, and find that secret.
Some anti-debugging tricks here: What is your favourite anti-debugging trick?
Related
Im a developer with my roots in Web Development. I have always built my API's using PHP and now, moving forward and leaning more into App development with react native I have done the same.
I am using an SQL-database for my user data and I want to make sure that only users signed in can fetch the data from the database.
In webdevelopement
the way I would solve this is through a cookie storing a PHP Session and using the user_id stored within that session on the server to make the request. Therefore the API would not accept GET/POST variables, rather the user_id for which we queried for was stored on the server.
From what I have read already session API's is not something that we want to deal with when working with mobile as seen for example within this thread How to manage session for a user logged in from mobile app in PHP?
To summarise the question
How do we secure our API when working with react native without having the user have to sign in over and over to reassign a SESSION on the APACHE server. I am concerned about this since if not done properly, if reversed engineered. A malicious user could start sending requests to the user with any POST/GET parameters as they please and thereby remove/add/modify user data in which it should not be able to.
Best regards. A.W
Introduction and background
I have a MySQL database of Lottery Results which my Android application queries to get the results via a PHP web service script which connects to the database, does a query for the top 10 and returns JSON data for the Android client to parse and then display.
I have the server hosted and it uses Cpannel (cannot find the version number).
In terms of the Android app (java program) The full URLs of php script are stored in a String. I fear if the program got decompiled they could get access to this string. I am using pro-guard to obfuscate the code but this does not hide actual values given to Strings or variables.
The actual Problem
How would I prevent others (if they got the actual URL of the PHP script location) to prevent them from leaching the results I provide just by running the script (this would cost me bandwidth usage). I tested it and I could actually get the JSON data output if I input the full URL of the script.
What I have done so far
Im new to this server hosting and administration. So far I disabled indexing on the directory which contains the PHP scripts just in case someone found them that way.
I was looking into setting permissions for the script file but ended up actually blocking legitimate use of it. At the moment they are 644. I cannot remember which ones I tried.
I found various hotlinking tutorials but these seem to be for images and multimedia but not specifically a script which outputs JSON data. Please help me.
What I am looking for
I don't have any code to show but I am looking for advice for those who have been through the same problem and point me into a direction to which I can research, investigate and build a solution from.
Thank your for your time in reading
A quick but not super secure solution would be to generate an unique token for every request:
Given:
Secret Key: examplekey1234
Client:
Calculates Token: sha256(examplekey + requestdata + date + ip ....)
Does request with token as additional request data
Server:
Calculates token the same way as the client.
Compares calculated with submitted token.
If both are equal, accept the request.
Since the secret key is known only to the client and the server, nobody ellse can calculate the token.
The data added to the calculation (requestdate, ip, date) ensures, that the token can't be reused for other requests (different reqest data, other user, at a later time, etc.).
If you have some kind of session id, you could also add it to your token calculation. This makes the token a little bit more secure, since it's only usable for this session.
But: When somebody decompiles your application, he can obtain the secret key. This method mainly protects against sniffing the network traffic to get the url.
We are developing in-house web-based application for viewing data reports while targeting on smartphones and tablets. Our customer asked us for possibility that only certain devices could access the content. Hence we use technologies based on javascript/HTML5 we are no capable of reading unique ID like IMEI or device uuid. On the other hand side we could use server technologies like ASP, PHP to gain success.
I have several ideas which dont lead to wanted result (one discussed here: Persistent client-side web storage).
I wonder if you have any idea that allow only certain devices to access web site?
Such access control would only be "secure" if a traditional login method is implemented on top of it, i.e. users (1) need to sign in with username and password, but (2) they can only do so on specific devices.
Step (1) is required to make access basically "secure", while step (2) would only make it just a little harder to break into your app for people who have hardly a clue what they're doing.
(Without the second step, people could attempt to brute force the login form when they know its URL, without sniffing any other network traffic.)
You could certainly fingerprint the user agent (UA) string and possibly other HTTP headers, assuming the mobile browser app isn't constantly updated and therefore doesn't constantly change its UA string (that could be a hassle), and check server-sided.
Your could also create a simple, really simple native mobile app for the target platform(s), consisting only of the platform's default web browser widget, with your app's URL built-in as the default page.
You could then control the URLs and possibly HTTP headers, and add special, secret authentication headers or URL parameters (e.g. device's IMEI), for which you check on the server side.
If you target Android, you don't necessarily need to rely on Google Play; you can also distribute the APK files from one of your own servers, making the app available only to the intended audience.
AFAIK you only have the User Agent to work on, with maybe some Javascript values that you can return as are used when fingerprinting.
The User Agent should give you a lot to go on, but it can easily be spoofed. And so can the Javascript values.
I don't think there is a secure way to do what you want. But then again, I don't know if you really want it that secure.
What you also could do is to not do it 100% browser based, but create a mobile App. (Such as in Apple AppStore / Google Play Store) Here I think you can request access to more variables to identify the machine type.
Try the lightweight php-mobile-detect here: (server side checking is always better) https://code.google.com/p/php-mobile-detect/
I'm not quite sure if an API is the way to go with this, so a little background.
I have been building up a back end which has a very useful set of data and tools for someone to run a site. The front end also uses the same data to show to customers, as one would expect. A mobile app could probably be added in the near future to enable changes to be made to the site, via the app. But the back end can potentially go onto any website like a standard script (ie. it is not centrally stored nor does any data go back and forth between the client and us).
So I thought that the best way around this would be to make an API for the site. Naturally for an app to access the API, it would need a key to authenticate with the API (which the end user can set via their back end). However, I would like the back and front ends to use the API to access the same data so nothing needs to be written twice.
I'm sure it is clear that APIs are a new thing to me, which they are. But, I am trying to improve and adapt my coding to be more efficient.
I thought perhaps that the API could perhaps do some checks from the location of the query to see if it were local request (back/front end) or via an app (which uses a key + user authentication). So how would one go about ensuring that the back and front end could securely access the API, while no one can access it via spoofing. I imagine the checks could be on the lines of the requesting URL, but I am worried that this could be spoofed or other things (that could be checked) could be spoofed. What is the best way to allow local access? Is there anything that can't be spoofed?
I know I could write in a key into the code, but since the code is distributed, I don't want this access key to be public - nor do I want to manually change the key for each site - and nor do I really want the end user to enter some random letters and numbers during setup.
You should use a public/private key. Your front/back end's, mobile versions, or even 3rd party developers will then use the their keys to authenticate each other.
I just created a PHP page that spits outs some data from my database in an XML format. This data is fetched from a flex application I made.
I had spent a long time formatting my tables and database information and do not want anyone to be able to simply type www.mysite.com/page_that_spits_out_XML.php and steal my data. However, at the same time I need to be able to access this page from my flex application.
Is there a way I can prevent other people from doing this? Thank you!
Are you using Flex's HTTPService object?
A few general ideas...
Create a Session or Cookie authentication scheme on your web service
Add some type of API key that Flex passes to your XML web service, which would provide a basic safeguard (though it can easily be detected and doesn't provide much in terms of security as it's visible in the postdata).
Use something like HTTP basic authentication: http://geekzguru.wordpress.com/2008/07/04/howto-add-basic-authentication-header-to-httpservice/
You need to set up an authentication. The Flex application sends HTTP POST data (typically a username and a password) to the server where your PHP application checks whether the account exists and if it does, it sets up a session. Whenever accessing a file (such as the page_that_outputs_xml.php), the PHP file will check whether the account in the session has a permission to view this data.
That would be as bulletproof as today's most login systems.
The only thing that is really going to slow down a datathief is encryption, make sure that your flex app is obfuscated and that the key and the encryption function stored within is neither guessable nor easily extractable.
This is the best you can do, but it's not a type of solution I would generally recommend. If someone REALLY want that data they are going to get it.
Get your flex app to send a secret key (hash or something) and then get your PHP to check if who is accessing it has a correct key. Might want to use a POST request to hide what you are sending. This isn't super secure but that's my two cents!