Check if http request comes from my android app

后端 未结 5 657
你的背包
你的背包 2020-12-03 11:13

I retrieve data from an external server for use with my android application. I would like this data to be only accessible with my app. I use a standard http connection to ge

相关标签:
5条回答
  • 2020-12-03 11:33

    Unfortunately if someone decompiles your apk, then it can easily see your strings.

    EDIT: I don't think there is a better way to do this.. maybe only to publish your application on android market with the android Copy Protection turned On...

    0 讨论(0)
  • 2020-12-03 11:42

    One of basic rules of security is: you don't trust client data. Ever.

    You should consider your app decompiled, all "secret" keys known to attacker, etc.

    You can, however, hinder attacker's attempts to forge your requests. Sending (and verifying) checksum of your request is one of methods (your idea of MD5(secret_key + params)).

    You could also switch to a binary encrypted protocol. But this requires MUCH more work and quite a different architecture of server.

    0 讨论(0)
  • 2020-12-03 11:43

    You can hide your links by set all url links and paramete names in strings.xml for example: http://wwww.yourdomain.com/yourpage.any user_name and get url such at :

    String serverUrl = Resources.getsystem().getstring(R.strings.name_your_link_id); String parameterKey = Resources.getsystem().getstring(R.strings.name_your_parameter_id); Uri url = Uri.parse(serverUrl+"?"+parameterKey+"=" + yorusername);

    and make any http request HttpURLConnection con = (HttpURLConnection) url.openConnection();

    when any one try to decompiled your app he will show only id as long integer in R.java file get code such this String serverUrl = Resources.getsystem().getstring(12346546564); String parameterKey = Resources.getsystem().getstring(123321321132);

    0 讨论(0)
  • 2020-12-03 11:52

    Have your application perform a handshake with the server, so the algorithm isn't just a string, but a whole process. Use Sessions/databases to track your handshake

    0 讨论(0)
  • 2020-12-03 11:55

    Android requires that one should sign their app(signing authority or self signed) before it can be installed. We can utilize this to check whether requests are coming from your app or not.

    1. Sign your app with your certificate.
    2. Find the certificates signature and save it in your backend server.
    3. For every request, expect this signature to be sent by the app.
    4. validate the signature sent by the app at server level and accept only if they matches.

    Even in that case where someone tampers with your app, he has to sign it again before it can be installed, which would change the apps signature and our validation mechanism would simple reject all such requests.

    This answer is based on this blog. Use https for app<->server communication.

    0 讨论(0)
提交回复
热议问题