Android and Apache in a secure way

Question

I have developed an android app. This app sends data to my webserver(apache + mysql) using the HttpClient and HttpPost classes.

But this way a malicious atttacker could be able to send a custom post request to the webserver and corrupt my database.

1 - Is it possible to encrypt the data before the app sends it and then decrypt it in the webserver with some shared key algorithm? Or am I saying nonsense?

2 - If the previous solution is not a good one, what do I need in a summarised way to implement the ssl solution?

I have read many articles about ssl and android but I am still a bit confused. I guess I have to make code changes on both app and apache. Can anyone tell me about some tutorial to deal with this?

Answer 1

You don't necessarily need to encrypt your data (that's only needed if you want to prevent data from being read by an attacker).

What you need is:

1. Authentication: So only requests from trusted users (ie. your app) are accepted
2. Validation: So only "correct" requests are processed

Authentication can be as easy as setting up HTTP Basic Access Authentication on your Apache server. You'll set up a user and password, and have your app use these credentials to access the server. Any unauthenticated request will be rejected with a 403.

Unfortunately Basic Authentication is mostly insecure since anyone looking at the traffic between your app and server can grab the credentials, then forge their own requests.

OAuth would be the better option, although it is more involved. Here's a nice tutorial that covers the client side: http://nilvec.com/implementing-client-side-oauth-on-android.html

Validation means you'll need to sanitize data before using it. Your server app should assume that all data is potentially wrong or dangerous, and properly filter any input before processing it.