Geek Answers Handbook

How can I prevent anyone from communicating with my server except my Android app

I got a rest server in a Google application, and I want only my application to be able to make calls on my server.

Is there a security option that I can enable in a Google app that will be fixed? if not what can i do?

I know that you can restrict access to certain pages using a file, but I'm not sure if it can be applied to REST calls

<security-constraint> <web-resource-collection> <url-pattern>/cron/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
+4
source share
6 answers

Create a privatekey / publickey pair in openssl. Distribute the public key in the application distribution. Create your own HTTP header named appName and encrypt the application name (a unique constant number of invalid bits of a large number) and send it. Make sure your code is messy so that no one can view the application name. Then, since you are encrypting, even if someone is monitoring http calls, the application name will be visible as an encrypted value. At the end of your server, decrypt the application name using the private key. Hope this helps.

+2
source

(Three answers already, and all with different ideas, then my own on this issue is such a good question, I think.)

As far as I understand, the recommended / canonical way to do this (for google) is OATH2. Google acknowledged that OATH2 is complicated, and one of its attempts is simple - it's cloud endpoints, as well as Google Play Services for Android clients. Instructions for this are given here:

https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls

Please note that while documents emphasize user authentication, it also supports application authentication.

What I don't know (but would like) is the same for an application without endpoints, so I think this is just a partial answer.

+1
source

Short answer: you cannot, at least not completely safe.

https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data

The long answer: you can make it difficult for hackers. This usually works by embedding the key in the application, obfuscating it and obfuscating the code to get the key. This does not make it impossible for someone to find the key, only harder.

One of the strong consumer systems is Microsoft Silverlight DRM, you can learn how it works: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight p>

+1
source

You can force all your REST services to use a passkey and secret when accessing. The application can then save them in the configuration settings and leave them blank when sent to the application store.

Then, when you download the application, you can enter the configuration settings and insert the key and secret that you set for your REST service. (Thus, it does not allow anyone to access the services, since you manually add the key + secret that is used)

I would recommend setting up an IP log of all unauthorized access attempts on the server so that you can create a blacklist if someone sends out your web service with invalid access attempts.

And then, to do all this, you can do it all over HTTPS.

+1
source

There are several options:

  • First, you can restrict the IP. It’s not very good if your Android app gets a dynamic IP address every time.
  • Secondly, you can use some algorithm on the server and client that you only knew. The server can send data to the client, the client runs this algorithm and modifies the data. Then sent back to the server. The server also runs this algorithm and checks the response. If the answer is equal to the calculation of the server, the server knows that the client is authorized. In this case, the internal data that is sent from the server must be different each time.
  • Third, you can use some publicly hash functions instead of your own algorithm. The idea is the same. The server uses the same hash function and checks if the client response matches its calculation.
0
source

The canonical way to do this is to use SSL and client certificates. I'm not sure if App Engine supports this.

However, keep in mind that if you distribute the APK, then you cannot rely solely on anything distributed with the APK - it would be possible (if this is unlikely, depending on how high you are in the target) to extract any information, necessary to replace the application.

0
source

More articles:


All Articles