Securing php api to use in android application

Question

I am newbie to android development. I am using android studio for developing an application. Things i have done

1. Created a DB with two ta

Answer 1

The only method to secure your api is making your android request to be unique .Collect more specific data from your app.

1 - Get Android Unique ID -

String UniqueID=Secure.getString(getActivity().getContentResolver(),Secure.ANDROID_ID);

And pass it through your api Eg .

http://192.168.100.9:8000/MobileApp/GET_DATA.php?yourvalue=something&id=UniqueID

In your php, deny access if there is no Android Unique ID(should change with complex variable name).Eg :

if($_REQUEST['UniqueID']=="" || strlen($_REQUEST['UniqueID'])<9){ //do something about abuse }else{ //your code }

2 - Create your own random variable in Android App

Create your own variable to decide to make sure the request comes from your app Eg:

Random r = new Random();
int i1 = r.nextInt(9999 - 1000) + 1000;

And also pass this value via your request and validate when it comes to php .

if($_REQUEST['r']>=1000 && $_REQUEST['r']<=9999){//}

Deny request if not passing or wrong value.

3 - Make sure requests come from Android

I want to recommend to use free best php library http://mobiledetect.net/ Check whether it is from android and write deny function on invalid abuses.

4 - Validate request via User-Agent string in PHP

$agent = $_SERVER['HTTP_USER_AGENT'];
$agent=strtolower($agent);

if (strpos($agent, 'android') !== false) {
$os = 'Android';
}

And deny if not from android in php.

5 - Record the attackers

You need to track if someone is breaking one of your above securities. Currently I am using ip-api.com to track attackers.

you need to write deny function with mysql insert. according to ip-api, you will get

1- Attackers' ip
2- Attackers' geolocation
3- Attackers' ISP

So you can deny them statically.

It is about to safe to use your api from android and almost denied pc requests. But three is a chance to break your app with reverse engineering like dex2jar or ShowJava and grab your simple data structure. As a programmer, above functions and codes are very easy for them and they will get in with fake data inputs.

So you should not write a program with static values, such important link "http://192.168.100.9:8000/MobileApp/GET_DATA.php" as hard coded as in your app. You should split data,simple encrypt and get all of your main urls dynamically as above secured php/mysql api method.

If you covered just like 2 step dynamic system, there is very very few chances to break in your system.
I've one important left to say, if you are using for closed group of users , you should use request->approve system for each user for first time app registration by using their unique ID and easily deny access from the others.