Identify whether HTTP requests from Android App or not? and then respond appropriately

Question

My Android App has an App Widget associated with it which is updated every 10 minutes on an Android Device. These updates send HTTP requests for data to the servers and parse th

Answer 1

You can add a signature to the request and then check it on server-side.

Just take the query and add one secret word at the end, then make a MD5 of it that you can send as an header (or use as a user-agent). And on the server you do the same and check if the checksum is the same.

To make it a bit safer you can make a timestamp so the request only will be valid for a short time.

Make your query look like http://example.com/abc.php?usera=abc&datab=xyz&timestamp=123456789 where timestamp is the current time (in unix time stamp) and add this in your app:

public static String makeCheck(String url)
{
    URL u=new URL(url);
    MessageDigest md = MessageDigest.getInstance("MD5");
    u.getQuery();
    md.update(u.getQuery().getBytes());
    BigInteger bn = new BigInteger(1,md.digest("A_SECRET_WORD".getBytes()));
    return bn.toString(16);
}

And when you need to add the header use something like:

request.addHeader("X-CHECKSUM", makeCheck(url) );

Then on your server you can use:

if (md5($_SERVER['QUERY_STRING']."A_SECRET_WORD")!=$_SERVER['X-CHECKSUM']) {
    // Wrong checksum
}

$timediff=60;

if ( $_GET['timestamp']>(time()+$timediff) || $_GET['timestamp']<(time()-$timediff) ) {
    // Bad timestamp
}

Remember to be a bit slack on the timestamp since your servers clock and the phones clock can be off sync a bit.

Answer 2

When you create the HttpClient in android you can set the following

 client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "MY Android device identifier");

This set the USER_AGENT for each http request send to your server. On your server you can retrieve the USER_AGENT to determine that the request came from your android device

Answer 3

If the actual request is the same (for instance, you are not able to add a POST or GET variable to actively identify your request), you'd have to rely on other things, like user-agent.

While you can set them according to your wishes in your app (also see @mark_bakker nd @mark_allison 's answers), you should be aware that there are ways to mess with this, so don't use it for stuff you really don't want other users to see.

• An android user could in theory change the user_agent string between the request leaving your app and the request leaving his/her network. So don't use it for "Android users didn't pay, so should not see this/that info" applications
• The other way around, non-android users can change their user-agent too obviously, so if you have content only your paying android-users should see, they might fake the string.

In the end it might be better to just change your request if you can: you want a different reply, you should do a different request is my opinion.

Answer 4

The typical way of doing this is using the User-Agent header in the HTTP request. if the request comes from the standard browser, it will uniquely identify both the hardware and software. For example a Nexus One running Froyo will have the following User-Agent:

Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

However, if you're using HttpClient to make requests from your app, you can customise the User-Agent header that HttpClient uses as demonstrated in this answer: Android HTTP User Agent.

On the server-side you can use a regex match on the user-Agent header to determine whether a request has originated from your Android app, and send the appropriate response.