Securing connection to php server without SSL

Question

I have following scenario: The Android clients communicate with a PHP server via HTTP Post. The PHP server is communicating with mySQL database and sends the output as JSON to the Android client. I have stated this already in question: securing connection to php server

The conclusion there is to use TLS/SSL to secure the connection. Unfortunatelly my server does not support tls.

Is there some other way to somehow make it little more difficult to get the API of my php server, so people cannot post via PC to my server.

I thought about gzip, but I it will be a low barrier...

So if someone sniffs the traffic with wireshark, he should not easily get how the communication to my php server is done.

Answer 1

you could create some sort of hash of all the data you are sending to the server, then send that hash along with the data to the server, the server could then calculate the same hash and check it against the sent hash. then no one could send their own data unless they figure out how the hash is calculated.

Answer 2

You could use the ob_start, ob_get_contents and ob_end_clean to catch all the data you are outputting, then use some encryption algorithm to secure the data (possibly using a private key derived by your own time based function, then have a program running on the client to decrypt the data at the client end.

The level of security would depend on what technique you used, but you may sacrifice some performance if you use something too complicated. But if you use your own, it would make it very difficult for someone to crack, but that depends on how hard they are trying to break your system.

If you want to make it more sophisticated, have a look for Mentalis. They made an open source C# implementation of an SSL Server so you could use some of that if you need some inspiration.