2

I try to demonstrate my question with a simple example: I've got a small app on android in which the user can login and keeps logged in. Thus I know the user-id and have it stored on the smartphone.

Now on my server i've got some entries which are user specific and they change from time to time. I'd somehow download them so that those entries are available locally in the app, but obviously only the related entries for the logged in user.

How to do that securely?

I could set up a PHP script which gives the entries of a user with specified ID as a JSON-Data-array. But how to make it safe enough so that nobody can exploit the script and e.g. call it from the browser directly? I mean I could do something like:

<?php
// check and validate $_GET['user_id']
...

// select all entries for this id:
$mysql->fetch('...');

// return as JSON:
echo json_encode($rows);
?>

and then send a HTTP request from the APP to the server with the specified user-id. But I have to make sure that there is no other way to retrieve data then this way.

And secondly: I've got to make sure that nobody can exploit the android app in that way that he modifies the stored user-id to a custom specified one and then uses the app to retrieve the data of different users. That means, there MUSTN'T be any way to somehow change the locally stored user-id of the currently logged in user. How to do this?

Okay, as wtsang02 answers: Storing password (probably hashed/salted) and the user-id both locally in the android-storage of the APP: I see following advantages:

  1. When the user tries to modify the local stored user-id in any (hacked/hacky) way - he would not be able to retrieve information from the server for a different user (different user-id) because he obviously doesn't know the other user-id's password.
  2. When somebody changes his password via the homepage of our app, he needs to login within the app because the stored password doesn't match the one in the online database anymore.
  3. I could use the PHP script as posted above without the need to hide it from direct browser calls make it, something like (###). Because every call which would come from the browser directly would not simply yield the database entries for a user with specific user-id as you'd need to know the password itself (and then it would ovbiously be legitimate to retrieve the data in any way as you're authenticated), but the user would also need to know how the saltedPassword is exactly calculated (hashing function, which salt, how many iterations etc).

(###)

// check and validate $_GET['user_id'] and $_GET['saltedPass']
...
if(correctCredentials()) {
  // select all entries for this id:
  $mysql->fetch('...');

  // return as JSON:
  echo json_encode($rows);
}

-------> But still, one big question remains: When I store the user-id locally within the android app storage, is it really possible for the user to modify that in any way? I thought the local android storage would be safe and restricted to be used by the specific app!?

Thanks in advance

Improve this question

1 Answer 1

Reset to default
2

Lets answer the 2nd question first.

I've got to make sure that nobody can exploit the android app in that way that he modifies the stored user-id

This won't work because anything on user side , you can't trust. They can modify this at anyway.

Now as your first question, Why not store your user-id and password locally in phone. Each time you need to retrive the data, you pass user-id and password to your server for validation. This way, it doesn't matter if your user modifies user-id or password. And as the regular user, they won't need to change their password and relogin again if you store it locally.

Update:

Any local storage isn't safe. Any rooted device can view/edit any files that your application has. Its not viewable by non rooted devices. But you add your security measurements for that little percentage of rooted devices or people trying to break your app, so you cannot consider this percentage of devices safe.

As comment has pointed out, use POST instead of GET if sending passwords.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Never Ever send password through GET. Always use POST and if possible w/ SSL.
@Javier Provecho Fernández: Yeah I will do this, but could you please tell me why? But yeah, I'll send it through POST anyway - sending the salted password is good isn't it? Maybe even using SSL if the server supports it...
@tim: If you send through GET the salted password as a parameter, it will be visible in the URI for "anyone" sniffing or even in the history. POST + SSL is very difficult to obtain.
Yeah okay, but only when using SSL. When not using SSL, then I thought it wouldn't make any difference between GET and POST.!?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.