Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.
Use SSL to prevent man-in-the-middle attacks.
So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that.
That's the nature of network communication. Use heuristics to limit the amount of unwanted data. Some examples:
- A single user_id can create at most one event per second.
- Let the client sign the request for a user_id and verify the signature on the server.
These are not sure-fire ways to prevent abuse, but there is no total security. The suggested methods will keep out most of the script kiddies, though.
