3

I'm a total noobie when it comes to encryption and I think I'm seeing my problem all wrong, let me explain:

I want an Android application to contact a server to get items to display in an app. Then if the user interacts with this item , I want to send a feedback to the server telling which item has been clicked on to save it in a database .

The first thing is that I don't want anyone to "intercept" this "feedback" over the network while sending them to the server. So I decided to use https connection. But let's say the script I'm calling for feedback is https://mydomain.com/myscript.php (with a POST request). I don't want someone to reverse engineer my Android code and see that I'm calling this script to send a feedback ,because then he could use it to the same purpose.

So then I thought "Hey, let's just grab a key from the server to send it back when i have to send a feedback to the server". But again, to get this key, I need to call a php script, and if someone could call this script, get the key, he could then send the feedbacks as he wants.

It seems to me like there is no end to this. And I know there is one :D I think I am looking at this the complete wrong way. Do you have some guidelines to follow to do so?

Thanks !

Improve this question
5
  • It is fundamentally impossible to make your app do something and prevent the user from being able to do it directly. Commented Feb 1, 2013 at 16:30
  • I think you are being overly paranoid. I don't see why you need to use HTTPS and a whole lot of encryption for this? Commented Feb 1, 2013 at 16:36
  • 1
    So essentially your concern is you don't want invalid feedback from the user? The only way you can prevent this is to employ some form of server side validation. Nothing is bullet proof but perhaps start by tracking which elements were served to users that can provide feedback. That way any feedback from a user on an element that hasn't recently been provided would be deemed invalid? That said, I agree with Simon & SLaks in that you're probably being overly paranoid. Commented Feb 1, 2013 at 16:39
  • Yes TheCapn, these feedbacks are important and I want them to be actual feedbacks from the app and not from someone using a bot :D But since the three of you say I'm being overly paranoid, I will try to detect "fake" feedbacks server-side. It's just that I thought there was a proper way to do this since I have absolutely never used any security in my programming life :D Thank you very much ! Commented Feb 1, 2013 at 16:48
  • @simon-andre-forsberg, I don't think he is being overly paranoid at all! Figuring out what post requests an app makes is very easy. For a small experimental app it won't matter. But if you're making an app as/for a business this is important. Commented Feb 2, 2013 at 2:12

1 Answer 1

Reset to default
4

Don't trust clients

You cannot extend trust to client software. There is a good quote in "Building Secure Software: How to Avoid Security Problems the Right Way" by Viega and McGraw.

People commonly hide secrets in client code, assuming those secrets will be safe. The problem with putting secrets in client code is that talented end users will be able to abuse the client and steal all its secrets. Instead of making assumptions that need to hold true, you should be reluctant to extend trust. Servers should be designed not to trust clients, and vice versa, since both clients and servers get hacked. A reluctance to trust can help with compartmentalization.

A solution

You can't trust client software. But you can sometimes trust individual users. And you can remove spam. Things to consider:

  1. Detect spammy posts by using a spam classifier. This will take a bit of time.
  2. You can rate limit POSTs from a single IP address
  3. You can require users to be logged into your app in order to write feedback. And then rate limit feedback from a specific account.
  4. Better yet, you could require people to first authenticate themselves with Google+ or facebook's servers (ie, your app requests the user to authenticate their Google credentials. This should be pretty painless for them, since 95% Android users have Google credentials.) before posting. Then rate limit each account. Most bots won't have access to many/any fake facebook/Google+ accounts, since you have to break captchas in order to register. This should make it very difficult for bots to post.

Large companies use a combination of 4, 3 and 1. The Google Play store used to try and detect all spam reviews and delete them. But now they use #4 as well. You can't post reviews on the Google Play store without being logged in anymore!

Edit: this may also be useful http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html?m=1

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you, I will indeed try to implement some intelligence on the server side to detect possible frauds.
Might also want to look at this:android-developers.blogspot.ca/2013/01/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.