I am working on an android app that basically brings functionality of a website to android. What I would like to do is to allow a user to sign up to the website from the android app. I think I should a use a service but I would like to take precautions to prevent the service from being abused, i.e. someone flooding with many fake accounts. Does anyone have any suggestions? What should I do on the app or on the service to prevent this? I though about using a captcha generated on the server but I would like to avoid that.
Edit--
I need to be able to create new user from the app, so I'm worried someone will figure out how I connect to the server and they will just start creating many new users. I am thinking on doing this with a post request but i am not sure if I should
Edit--
It just came to my mind that I should limit the requests coming from an IP address. Do cellphones share IP addresses or are they all unique?
You can use a WebView inside your mobile application, through this you don't need to get worried about authentication as you are already doing it in your web application.
Related
I made an API for PHP which provides data to the Windows 10 UWP app to load data from MySQL. I would like to make sure that only the app has access to that data and people can't just check it out from a browser. Do you guys have any idea how to do it? Can I send a unique id from my app and check if it is real on the back end of the PHP server?
If you do not want to authenticate your users. You could pass the Appid in the header.
string appId = CurrentApp.AppId.ToString();
and only allow gets and posts with information included to use your api. It might be better to use an authentication service like an oath provider. This would be a much more secure way to go. Someone could easily spoof your app if you are not using https to communicate with your backend.
I have to make an application that receives commands from a website and therefore perform an action.
I thought about creating a login in android to send the username and password for POST and if this is correct, the web server will return a unique token. That would serve me later to send information to the server and ensure authentication...
But ... how can my android application know when the website has a warrant for?
I've thought about that all the time is pending a URL "checkOrders" and if it finds your token, request orders to another URL
Anybody know other method to make it?
If I understood your question correctly, the only (battery and otherwise) efficient way is using push notifications. Unfortunately, this approach is not even close to being simple.
Since you're developing an Android application, you may want to consider Google Cloud Messaging and Parse Push. If you're planing on developing apps for iOS and Windows phones in the future, I'd strongly recommend Parse Push. At the moment, it's free for up to one million users.
Hyperlink for GCM will lead you to generally useful reading on this topic. That's why I am not elaborating here.
I am looking to build an API that I can deploy on my servers to monitor system load.
It will report to a central manager server that runs a client to display the information.
The issue I am struggling with is best to secure the API.
What I want is for the client to be the only software that can access the server and retrieve this information but I am unsure how to achieve this using PHP.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The client is also written in PHP using MySql and has a secure login.
This sounds like you're trying to solve the wrong problem.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The only right answer to this is authentication. You need to protect your API by giving each user access credentials known only to them.
Your API must never reveal any data that the client isn't allowed to see as per their authentication credentials. Trying to work around this danger by trying to somehow protect the client from prying eyes is not safe - somebody who has access to the client and can observe it running will be able to reverse engineer any traffic between it and the server given enough effort.
If the API is properly secured, it won't matter to you which client tool is used to access it. The requirement to limit API access to a certain program will go away.
if you use SSL, along with authentication (i use 3rd party auth google, fb, etc), create data /reports on the fly and have the data saved in a subdirectory OUTSIDE your web folder (instead of /var/www, /var/myStorage/currentSessionId/), then you basically guarantee the security that you want.
your php will only access a subdir that is named for the session it is running under.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you