Securely submit data to remote server with Android

Bit of a niche question really. When I say "securely", I don't mean SSL.

Basically I've been working on adding C2DM push messaging to my app, and on my test bed, this all works fine and notifications are received. I was following this guide: http://blog.mediarain.com/2011/03/simple-google-android-c2dm-tutorial-push-notifications-for-android/

Now I'm all fine with that and I fully understand it, my problem is the passing of the device's unique ID to my web server which is forwarding the messages. Say for example that in order to add the device ID to my database of IDs to message, it makes a call like so: http://www.example.com/add_id?id=unique_id_here

Which inserts that ID into my database, adding it to the list of devices I have available to push messages to, what's to stop someone just visiting that URL and filling my database with crap by submitting fake IDs? Is t开发者_JAVA技巧here any way I can verify the data I'm receiving there, or verify the connection is coming from my app?

Note This is now edited for a much more obvious answer; my original answer is at the end, in case anyone finds the ideas useful

This is actually pretty simple. Send the message as a POST, and provide some form of digital signature with it. This could be as simple as an MD5 hash of the (message+secret). When you receive the POST, perform the same hash, and if the hashes match:

• It came from your app
• It came from someone reverse engineering your app

Sadly #2 is impossible to rule out completely, all you can do is obfusticate code to raise the bar, and monitor the server for suspicious activity.

The old answer

In principal nothing; networks & handset manufacturers generally make sure a specific device doesn't send identifying headers, because of privacy concerns and laws. Even if these were present, they could be faked.

You'll need to authenticate a client somehow. This can be done in one of several ways:

• per-device unique username/password as a one-time config by user.
• per-device unique ID distributed via SMS (requires device phone number, and SMS permissions for app)
• per-device unique ID via License Manager APIs (not investigated, but almost certain to exist, as each client is individually licensed)

I'm assuming the fake data is only an issue if it's associated with the wrong device, and someone corrupting their own data is odd, but not problematic.

You can always pass some HTTP header with your request. Bathic Auth or just string known to you only

@peter For the #2 condition, I think you could compile a .so library with JNI(java native interface)+javah, you could call it to get the device id and a token that was encrypted with a specific method, and verify the two on your web server.

I think a .so native shared library is more difficult to decompile to get the encryption method.