1

I have following scenario: The Android clients communicate with a PHP server via HTTP Post. The PHP server is communicating with mySQL database and sends the output as JSON to the Android client. I have stated this already in question: securing connection to php server

The conclusion there is to use TLS/SSL to secure the connection. Unfortunatelly my server does not support tls.

Is there some other way to somehow make it little more difficult to get the API of my php server, so people cannot post via PC to my server.

I thought about gzip, but I it will be a low barrier...

So if someone sniffs the traffic with wireshark, he should not easily get how the communication to my php server is done.

Improve this question
4
  • 1
    I think you still have the same problem as before. Keeping a secret from the user. Have you considered forcing users to create an account at your site, and try to keep your system under control that way? Commented Dec 29, 2011 at 23:15
  • no, I dont want the user to have an account. Commented Dec 29, 2011 at 23:31
  • Why do you care if someone sees how your web API works? If it is public, it shouldn't be secretive. If you are storing personally identifiable information or other information that the user considers to be sensitive, then please don't run a web service that allows an anonymous user to access it, without restricting access to authenticated and authorised connections (even if they have to extract your public encryption key / magic number / hashing alg from the app first); No one will thank you for that. If the user cares about the data, they likely won't mind using some form of authorisation. Commented Dec 31, 2011 at 14:51
  • you are right. But the data I am storing in the backend is not sensitive. The user do not care about it. But I am afraid of kids filling my database with nonsense using PC. Thus I think a HMAC is sufficient to reach my goal. Commented Jan 2, 2012 at 0:30

2 Answers 2

Reset to default
3

you could create some sort of hash of all the data you are sending to the server, then send that hash along with the data to the server, the server could then calculate the same hash and check it against the sent hash. then no one could send their own data unless they figure out how the hash is calculated.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

can you give a hint how to realize this
wouldn't that require the server to already have the data the user is sending then? hashing is great for converting a string to a short unique string, but would have many permutations (as well as taking ages) to convert back to the original text. or at least thats my experience with hashing.
@cgoddard it would go like this, if I am sending the post variables x=12, y=abc, z=xyz, then I could send along with those hash=md5(12abcxyz) whatever that equals. the server would get the variables x, y, z, and hash, could calculate the same hash in the same way (concatenating the values of x, y, and z in alphabetical order), then compare the results to the hash variable that was also sent. if it's a match, respond, if not, don't. the real solution could get more complicated of course with a salt and what not.
sure you have to send the data in cleartext. I think he means a HMAC as hash. A key is used to create the hash. And you can check on the other site, if the guy has the right key
@tobias yeah, or sha512 or whatever. you are making it, so you have full control on the complexity. keep in mind still hackable if they decompile your code. could make further complexity by making them log in and using a salt unique to each user and other things etc...
|
1

You could use the ob_start, ob_get_contents and ob_end_clean to catch all the data you are outputting, then use some encryption algorithm to secure the data (possibly using a private key derived by your own time based function, then have a program running on the client to decrypt the data at the client end.

The level of security would depend on what technique you used, but you may sacrifice some performance if you use something too complicated. But if you use your own, it would make it very difficult for someone to crack, but that depends on how hard they are trying to break your system.

If you want to make it more sophisticated, have a look for Mentalis. They made an open source C# implementation of an SSL Server so you could use some of that if you need some inspiration.

Improve this answer

5 Comments

If you make your own algorithm it will be very easy for others to break. Unless you are a cryptographic genius.
true, there is always that. but there are lots of prebuilt encryption functions built into php that could do all that for you, just use a similar method to ssl
actually, if you used a nice and complex set of one-way functions then it would make it almost impossible to crack,
The problem is that I need the same on Android. Do you know hash/encryption functions which I can use on PHP and on Android/Java?
Pretty much all major algorithms should be supported on both platforms. The problem is key exchange. But if there is a possibility that you could create a key on the phone, and then somehow sync that to your server. But then people could just send you their own key, and still send data to your server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.