Android - safest way to connect to MySQL database

Question

I'm developping an Android app which uses the same MySQL server as a website is using.

I want to connect to the database in my app, and I've done that before by placing some PHP files on the server and use a HTTP post and retrieve the response in json format. I don't know why - I'm not a specialist - but this just doesn't look like a very safe way to me.

Using a SOAP or REST webservice looks safer to me, but I don't know how to deploy those on a server (the server is not mine, I don't want to fool around too much with it).

So what is the safest way for me then?

And if I'm using PHP scripts, should I store the database credentials in the PHP scripts or in my application and pass them to the PHP script? What's the safest of these?

Thanks

Answer 1

Your choice of "envelope-technology" has no effect on security. In security architecture terms, plain php pages, REST-like architectures and SOAP services are all identical - you are still sending and receiving the exact identical information over the same channel. It is just wrapped up in a different way. No additional protection is given.

As for your credentials, it is best to store them in a file that lives outside of the web server's documentroot - this limits your exposure if a seperate vulnerability allows your website files to be enumerated or read. Your PHP program can require_once the credentials file.

If users can have information stored that is specific to them, you will need to use authentication and authorisation to ensure that one use cannot act on another user's behalf.

Oh, and don't allow GET requests to change your data. Require that all state-changing or destructive actions can only be performed with POST requests. This will limit the risk of damage to you data from user-agents/proxies that pre-cache requests, or replay requests and from users/search-robots browsing around your site.