Securing PHP API Based on Device

Question

I am creating a PHP API for an Android application and want to make it so the API only proceses requests from Android devices. Is there some sort of logic I could use to make this happen?

Answer 1

you can use Mobile_Detect which is a lightweight PHP class for detecting mobile devices. It uses the User-Agent string combined with specific HTTP headers to detect the mobile environment. by using this PHP lib you can dectect following devices:

Phones * isiPhone() * isBlackBerry() * isHTC() * isNexus() * isDellStreak() * isMotorola() * isSamsung() * isSony() * isAsus() * isPalm() * isGenericPhone()

Tablets * isBlackBerryTablet() * isiPad() * isKindle() * isSamsungTablet() * isHTCtablet() * isMotorolaTablet() * isAsusTablet() * isNookTablet() * isAcerTablet() * isYarvikTablet() * isGenericTablet()

Operating systems * isAndroidOS() * isBlackBerryOS() * isPalmOS() * isSymbianOS() * isWindowsMobileOS() * isiOS() * isFlashLiteOS() * isJavaOS() * isNokiaOS() * iswebOS() * isbadaOS() * isBREWOS()

Mobile browsers * isChrome() * isDolfin() * isOpera() * isSkyfire() * isIE() * isFirefox() * isBolt() * isTeaShark() * isBlazer() * isSafari() * isMidori() * isGenericBrowser()

or see this tutorial for Detecting Mobile Devices Using PHP: http://www.hand-interactive.com/resources/detect-mobile-php.htm

Answer 2

You can't reliably determine if they are accessing your php server with an Android. The only way to see if they are using Android is by checking the User Agent, but that should not be used as security, as you would want.

You could have a key in your Android application, either dynamic or static, that is required to access your server, but that also not going to guarantee the users won't find out that key, or whatever process you use.