0

I have a SQL databse on the internet which has information I need my Android app to be able to access that information The app needs to know the username and password of the database How can it know?

If i code it in, anyone can get it

Improve this question
7
  • A publicly accessible DB? That sounds like a disaster in the making. You should create a proper web service and let each user have their own username and password, with access only to their own data. Commented Sep 9, 2014 at 20:34
  • @thkla i need every copy of the app to access all data, but the data shouldnt be visible to user Commented Sep 9, 2014 at 20:35
  • That's impossible - if your application can access the data, then any sufficiently determined and knowledgeable user will be able to do the same. Commented Sep 9, 2014 at 20:36
  • You should have intermediatry to act as a go between the controls access to the databse, such as a web service for example Commented Sep 9, 2014 at 20:42
  • @MadProgrammer Then the same problem applies to the web service as the DB Commented Sep 9, 2014 at 20:43

1 Answer 1

Reset to default
3

In general, databases should not be publicly accessible, nor should they be directly accessed by a user application, for several very good reasons:

  • There is generally no easy way to implement row-level access control. Views and triggers can only get you so far - in general application-level users do not map well to database users, since the latter usually have access to far more data than the former should have.

  • The DB clients are tied to the actual database schema. Having clients not under your control like, say, an Android application is a very good way to tie yourself up in ways that would disallow any and all future development.

  • Having a DB port open to the world is not considered by any means secure. Any potential security hole would give straight access to all of your data. The MySQL security guidelines explicitly warn against opening the DB port to the internet.

  • There is no way to protect the DB credentials or the data from a sufficiently determined and knowledgeable user. If your application can access something, so can they.

  • Database access protocols are mostly designed with local-area networks in mind, rather than the inherently unreliable nature of the Internet. Even encryption and security are often more of an afterthought...

The standard way to approach this issue is to create an intermediate web service with separate user accounts and a restricted set of operations on the data. The web service would let each user access only the data that relate to them, and even that indirectly. This approach separates the data from the user application layer, allows you the flexibility of storing and accessing your data however you wish and provides an additional layer of security for your DB.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.