开发者

Thinking about security of an Android web service

I have been asked to write an android app to connect to a http server. I did this by creating a web service and sending JSON data to a PHP script on the server which opens the desired database and then inserts the decoded JSON objects.

Now I am thinking about security. First of all the app will be propr开发者_JS百科ietary, not on the ANdroid Market, but I am worried about two things:

  • someone with a phone not in the company somehow gets the app. He can then manipulate the DB. Or the company loses an Android phone and a malicious person tries to ruin the DB.
  • someone using the PHP script without an Android phone and manually inputting JSON data, e.g. from a PC browser (I dont know if this can be done.).

To counteract the first possible problem I intent to use the ANdroid phone's serial id.

   TelephonyManager tm =   (TelephonyManager)activity.getSystemService(Context.TELEPHONY_SERVICE);
   String id = tManager.getDeviceId();

I will put this in my JSON object and send it to the server, decode it and check against a database table of valid id numbers.

Is this a good idea?

I don't know what to do about the second problem. Any help would be appreciated.


Actually both problems are related to each other. You need to guarantee, that only people with appropriate privileges are allowed to use your PHP script. To do so you need to make authorization system. All of them requires some verification data to be sent from client, so it has to be either stored in phone or typed every time by your users. For example it can be simple login/password authentication. You can store such information on your phone in encrypted form, but there's no way to guarantee that if someone get his hands on the phone he won't be able to use this application. If you want to avoid that, you can't store the password - you have to ask the user about it every time.

Oh, and as for your idea with sending phone's unique id - it can be easily extracted from the phone by the hacker, and later he can use it to call your php script manually. There's a simple rule - if you're storing any authentication data on the client, skilled person can always extract it and use it to connect to your system.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜