Reputation: 119
Securely submit data to remote server with Android
Bit of a niche question really. When I say "securely", I don't mean SSL.
Basically I've been working on adding C2DM push messaging to my app, and on my test bed, this all works fine and notifications are received. I was following this guide: http://blog.mediarain.com/2011/03/simple-google-android-c2dm-tutorial-push-notifications-for-android/
Now I'm all fine with that and I fully understand it, my problem is the passing of the device's unique ID to my web server which is forwarding the messages. Say for example that in order to add the device ID to my database of IDs to message, it makes a call like so: http://www.example.com/add_id?id=unique_id_here
Which inserts that ID into my database, adding it to the list of devices I have available to push messages to, what's to stop someone just visiting that URL and filling my database with crap by submitting fake IDs? Is there any way I can verify the data I'm receiving there, or verify the connection is coming from my app?
Upvotes: 1
Views: 1061
Answers (3)
Reputation: 12935
@peter For the #2 condition, I think you could compile a .so library with JNI(java native interface)+javah, you could call it to get the device id and a token that was encrypted with a specific method, and verify the two on your web server.
I think a .so native shared library is more difficult to decompile to get the encryption method.
Upvotes: 0
Reputation: 8639
Note This is now edited for a much more obvious answer; my original answer is at the end, in case anyone finds the ideas useful
This is actually pretty simple. Send the message as a POST, and provide some form of digital signature with it. This could be as simple as an MD5 hash of the (message+secret). When you receive the POST, perform the same hash, and if the hashes match:
- It came from your app
- It came from someone reverse engineering your app
Sadly #2 is impossible to rule out completely, all you can do is obfusticate code to raise the bar, and monitor the server for suspicious activity.
The old answer
In principal nothing; networks & handset manufacturers generally make sure a specific device doesn't send identifying headers, because of privacy concerns and laws. Even if these were present, they could be faked.
You'll need to authenticate a client somehow. This can be done in one of several ways:
- per-device unique username/password as a one-time config by user.
- per-device unique ID distributed via SMS (requires device phone number, and SMS permissions for app)
- per-device unique ID via License Manager APIs (not investigated, but almost certain to exist, as each client is individually licensed)
I'm assuming the fake data is only an issue if it's associated with the wrong device, and someone corrupting their own data is odd, but not problematic.
Upvotes: 1
Reputation: 17915
You can always pass some HTTP header with your request. Bathic Auth or just string known to you only
Upvotes: 0
Related Questions
- How to send data to Server
- Secure Android POST Data to Web Server API from Packet Capture APP
- Send data from a web server to an android app
- Best approach to send data from a server to an Android device
- android and server secure communication
- How to send data form php server to android
- POSTING data to server and reading it on server end
- Sending data from android app to remote publicy accessible machine
- Sending data to server from android application
- how to send data from android to server