Android web server securitiy

Question

My android application sends data to my website. Right now, anyone who can trace where the data is being sent can find my web website and be able to run my php files that processes the data. How can I disable users from accessing my website through a browser?

Answer 1

Short answer: You can't.

Long answer: You can try using some methods that would make using your website pointless from the browser (eg. use some ciphers, encodings, custom browser headers, authentication, etc). But there always will be possibility to crack and reverse-engineer your (any) security.

I spent two weeks reverse-engineering one such service, only because it was worth it.

Answer 2

This is actually pretty easy to do.

Set up mutually-authenticated SSL between your app and your web server. Basically, you're going to create a self-signed certificate using the Android keytool to deploy onto the server and then another self-signed certificate (for the client) to deploy into your app. Configure the server to require client authentication and to only accept the certificate you just deployed into your app. Configure the client to only accept the self-signed certificate you installed on the server and to present the certificate you deployed on it when prompted by the server.

This is pretty easy to set up and then your server will only talk to your app (since it is the only thing that has the specific client-side certificate) and the app will only talk to your server (since it is the only thing that has the specific server-side certificate).

More details about how to do all this (with a walkthough) are in my book: http://shop.oreilly.com/product/0636920022596.do.

Answer 3

You could try PHP obfuscation. Here are a few options for this:

• http://www.phpprotect.info/
• http://www.zend.com/en/products/guard/
• http://www.semanticdesigns.com/Products/Obfuscators/PHPObfuscator.jsp

Note: This doesn't make it impossible to get at your code...only more difficult.

Answer 4

You've got a few options:

• Add some kind of username/password authentication to your server, and ignore any requests that don't contain the username/password.

• Embed a long random string (perhaps 200 characters long) inside your app and send that along with every request, ignoring any request unless it contains that exact string.

• For increased security, look into public/private key encryption. Basically you have a public and private key, the private key is embedded in the app, and a matching public key is on the server. The phone encrypts any data it sends to the server with the private key, and the server decrypts the data with the public key. The server does the reverse, any data sent to the phone is encrypted with the private key, and decrypted with the private key. This is (roughly) how SSL/https works.

The last one is the most secure, but a combination of all three would be ideal — username/password in every request, encrypted with public/private key pair, private key encrypted with a 200 character random string that's stored on the phone at a different location to the private key (most public/private key encryption systems will allow you to password protect the private key).

Beware none of these will protect you from anyone who has physical access to either the phone or the server. The last approach will protect you from everyone else, and make it quite hard even for those who do have physical access to the phone.

You can make it a bit more difficult to hack by changing the keys often. SSL is continually creating a new public/private key, but sharing the new ones with the phone and the server might be complicated.

If you're trying to prevent casual access to your server, then all of these will work fine. If you want serious security then you need to manufacture your own phone hardware to lock it down properly, and even that won't give you perfect security.