I have a PHP server with some .php files. Swift iOS application send POST request to server and get some response in JSON. PHP files on server do some work with MSQL.
The question is:
How to provide good security when do some request?
I thinking to create some let API_KEY = "dakhye8k3id9" and send it with request to server. But is it secure? (Decompilers ect.). Maybe there is some other approach?
To give some string tokens is also not good idea because I store it in NSUserDefaults.
Related
So I've been literally 2 months searching for this but nothing... Basically I've got an Android app witch makes HTTP(S) requests to a PHP server. Let's say I've got a URL to get some information: https://example.com/username/check/whaterver/, to access this URL you need to send over a token that you get once you're logged in. I have everythig all set, the only problem is that I know that people can see the requests made from their phones, let's say: URL: https://example.com Form-data: token=5456432145. What I need is a way to send the token to the server without the user being able to see the token.
I am not asking how to make a HTTP request between Android and PHP, I'm asking how to ONLY accept HTTP requests from Android and PHP
You can use/create a cryptography to send to PHP server and from server to browser of device. A cryptography mode will encode your token code.
Like: token=5456432145 to token=D37AG3H7183BAD2E6DGAS
im writing json-rpc service that provides an android app with some data. now i needa send a file that is huge enough to refuse the idea of encoding it to base64. more than that, the file link won't work either, cuz im not allowed to store files on server and any data transfer should be proven by sending a jwt token from the app, so whats the best way for me to do this. thank you in advance.
I know the idea of JWT. But I have to work with both, PHP as a client which will send data to Node.js API and receive data back.
I know it is trivial if you are using JWT inside PHP only or Node.js. But is it possible to send from PHP to Node.js API?
Yes, it is, the validation may be an security issue in some cases, but you could do it with as secret or using certificates.
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
I'm starting a new application that will have a server side PHP and client in Android another (at the moment, and then also probably iphone). The application will only be used from mobile customer applications ie not to be used by web. My question is what would be the best way to login to this mode of operation?
thank you very much
It sounds to me as if the server side will be some sort of API that opens up access to a users data. The easiest method would be sending along a stored username and password with each request. This would only work if the connection your using is secure (https) which brings in the hassle of obtaining an ssl certificate.
Another option would be using OAuth, though your use case seems a little bit different than the standard OAuth use-case. OAuth is a protocol that uses a token based system to establish a users permission to access certain data from an application by another application. In your case you would be in control of both the first and the second application (hence my remark on being different than the standard use-case) Read here for more info.
I think it will be more easier if you use a webservice to make this connection between android and php server
this Presentation may help you ..
you are gonna deal with SOAP and xml or JSON to send data from android to php server.
and this a Video that shows how to deal with REST android Apps.
hope that help.
I think building an API on the server-side would be the best approach. For example a simple REST endpoint might be the way to go.
You can also host the API over HTTPS so that the communications channel is secure.
you need to create PHP web service for that. and while accessing you can pass security key like IMEI of phone for log. I think it can be secured mode for login from Android Phone.
Best practice these days is to set up a simple JSON web service, and use the built in Android HTTP & JSON libraries to interact with this service.
Create a login page in android, take the values from the fields send those values to server using httppost there store in your database and send response from the server
i think you first make a login form on Php server and send it the login and password as soon as user types and php returns the JSON object then read it if login is accepted by server login to application.
another way is when user don't have the net access make some Content providers on android and store the user pass there and match from there locally.