How can restrict access to my web site only to my Android Application

I have an Android application that feteches data from my PHP/MySQL webserver. The data itself is not sensitve, It's geographical data of a number if POI's - but it may be useful to others to use/abuse.

Currently, my application will fetch the data by开发者_JS百科 doing someting along the lines of: http://myserver.url.com/data.php?getinfo=a_zip_code

Any data returned will be returned as XML. What I don't want is for someone to be able to abuse the system by making their own requests for data.

My propsal is to generate a key based on MD5(username + date + salt)

Send a GET request :

http://myserver.url.com/data.php?
getinfo=a_zip_code&username=$username&key=AABBCCDDEEFFAABBCCDDEEFF

I can then repeat the process on the server and if the hash matches - then I can return data.

• username - used to lookup the user in the database
• date - to vary the key on a daily basis
• salt - to stop anyone else generating a key.

Is the a good way of doing what I want to achieve or is there something else that would be better suited?

I think as a key you can use just a variable known to you - without md5. Post it to your script- and get result. The other way is to post your android device personal number and define it into your Php script.

I feel like the method you posted is adequate. However, like all security questions, this is all relative to how much security you need. I faced a similar situation because my web server would return JSON data that my application would then parse. Again, not anything sensitive, but just something I wouldn't want anyone to use. Be aware that there are quite a few solutions to problems such as ours. You could also have it so your application would "log in" to your web site before being able to access any of the data. Or you could have some sort of a token system set up. It's up to you, but it seems like you have a solid idea.

First of all, make sure you are using HTTPS. Secondly, don't depend on your key being completely secret. APKs can be decompiled and keys (strings) can be easily discovered.