3

I have an android application that requires a connection with PHP pages in order to add sensitive data to a database that will affect the application. one can simply find the url where the data is sent to and manipulate it.

I thought about creating a registration based on IMEI, but still able to manipulate it for malicious purposes.

I have also checked OAuth, I didn't really understand how it works and if it can help in my condition. What can I do to fully secure my application? Thanks in advance!

EDIT: By the way, what I am mostly trying to achieve here is to make sure the requests are being sent from an Android and not from any other device.

Improve this question
2
  • 1
    Any request can be freely designed by the sender, and whatever way you come up with to recognize an Android device, someone could come up with a way to fake it. Why does it matter whether the requests are being sent from an Android device in the first place? Commented Oct 27, 2012 at 10:58
  • Thanks for the answer, I will explain myself in a better way - I'm trying to make sure my application is the one sending the data and not the user himself, since my application is based on "generated" data that if one can manipulate it, it will cause my application to not work normally (unless I check every single data inserted to the database personally). Commented Oct 27, 2012 at 11:05

2 Answers 2

Reset to default
1

I'm trying to make sure my application is the one sending the data and not the user himself, since my application is based on "generated" data that if one can manipulate it, it will cause my application to not work normally (unless I check every single data inserted to the database personally).

There will never be a sure-fire way to be 100% sure of the sender's identity. The basic principle is "never trust the client"; you have to assume that any message coming from outside could be forged. Generally speaking, your application should be able to accept any kind of request without malfunctioning, validate the data, and reject anything that's out of order. Eventually, that can go as far as blocking senders that have been trying to send manipulated data.

Trying to make sure of the sender instead of securing the receiving server is not a good practice, and will always leave you vulnerable.

The more fruitful question to ask would be, is there no way have your app validate the incoming data automatically, as opposed to personally by you as you say in your comment? Maybe the community can help you with that aspect if you provide some more detail about what your app is doing.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

First of all, thanks a lot for your reply. It is almost impossible to automate these specific checks (and if the application is successful there will be too many). The whole idea of the application is that it trusts the user data (yet the user does not actually write the data, the app gets the data based on the user activities), and it's very hard to know whether the data is legitimate or not even if I check every single data sent. I guess that if there's really not a way to check if my application sent the data, I will need to manually check it and add a ban system.
@Elad I see. I can imagine what kind of data that would be (like, say, heart rates or blood levels or something); but there might be ways to sniff inconsistencies. Maybe it it's worth a separate question if you're willing to discuss details of what you're doing. I'm often surprised about how much can be done programmatically when you have a group of smart people coming up with their ideas.
@Elad I think the usual way of adding security in a case like this is binding the incoming data to a person through a login system. That way, you can review the data and erase data from people whose numbers look somehow strange. Whether that's practical depends on the nature of your app though.
Thanks again for your reply, unfortunatly I can't really discuss what this app is doing since I have some big plans for this and it's an original idea. I also thought about a login system, but even then one can manipulate the data (even if I block his device ID, he can easily fake a new one). This is a real problem hehe...
1

You are describing a typical scenario for a digital signature process. If you are familiar with asymmetric cryptography, your android application should be assigned a private key and your php server should have the corresponding public key.

When the android app sends an HTTP request, it should generate a digital signature. This is typically by generating a digest for the request, before encrypting it with the private key. When the server receives the request, it should use the public key to retrieve the digest. It should also generate a digest value by itself (using the same logic as the android app) and compare the two values.

The question is how to make the private key accessible to the android client. If an intruder manages to still this key, then he will be able to impersonate the client. One approach is to "hide" the key in the source code, in a way that makes reverse engineering hard (that is an art). It must be possible to invalidate these keys, so that if they are compromised, new ones can be used.

Improve this answer

3 Comments

Thank you for the answer. So in the end of the day, once someone does some small reverse engineering job on my application he will get the key and still be able to modify the data sent to the server. I assume that my only option would be to implement a login system and ban such members (yet I won't be able to permanent ban them since they can spoof the IMEI that is sent to the server just like anything else).
Well, how "small" the reverse engineering job is depends on how well you protect your key within the code. As a bare minimum, you should obviously obfuscate your code, but there are other things that you can do.
Can you recommend any other things I can do to obfuscate it as much as possible? I highly doubt using Pro Guard is enough, and no matter what I do, a man with enough desire to ruin this app will eventually be able to do so.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.