0

I'm sending data from an Android app to a php script which recieves the information and procces it, I've found a security issue: if someone discovered the url (for example: mydomain.com/recievedata.php), anyone would be able to send data to my system.

What's the ideal method to ensure the client sending the data is the app?

Thanks!

Improve this question
2
  • 1
    May be add special content in request header? This still can be cracked, but not by just looking at url. Commented May 31, 2012 at 21:33
  • Special content like what? I mean is there any specification or something? Thanks Commented May 31, 2012 at 23:15

3 Answers 3

Reset to default
6

One easy way that I've seen some companies do is to include a secret key. For example, you might have a secret=3CH6knCsYmvA2va8GrHk4mf3JqmUctCM parameter to your POST data. Then all you need at the top of receivedata.php is

if($_POST['secret'] != '3CH6knCsYmvA2va8GrHk4mf3JqmUctCM') {
    header('HTTP/1.1 403 Forbidden');
    error_log("ERROR: wrong secret: " . $_POST['secret']);
    exit("Access denied");
}

You can easily generate the random string from random.org.

Of course, this is not the most secure method and that string might well be stored in plaintext in the APK (don't use this to send launch codes!), but it's easy and good enough to keep most people out. This might be adequate for, say, sending player scores for a game.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi, this is how I did the code but they said to me that it's not secure enough to send data like user_id in the registration and other stuff. Thanks.
Any idea what else they want? Do they want users to log in? Do they need the data being passed to be encrypted? These are different types of concerns.
3

It's more like a PHP question. Here are the things you should do for security ;

  • Add a hash between your app and your PHP to sync (AKA secret key)
  • Make sure your script controls every input data
  • DO NOT send datas to query without escaping them (SQL Inject)
  • Try to use POST instead of GET or REQUEST
  • Keep your functions private as much as possible
  • Always parse the data you receieve (Check if its a number, or string or array etc)

With these, noone will be able to use any of your PHP files without your app. And they won't be able to receive any data without your permissions

Improve this answer

Comments

1

The only proper way is not trusting the data you receive. Always treat it in a way suitable for crafted data coming from a bad guy.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.