Is there any way to Authenticate an android App against a php web application

Question

I'm developing this Android application where users can update their SQLite database to the latest version on a web server. Everything is working fine up to that the user clicks a button on the application, and the latest version of the database is downloaded in to the Android.

These users just install the application and there is no need to authenticate individual user (Users have no username/password). i.e: everyone is using the same database. Data is not at all user specific. And there is no need to set up a two way synchronization.

The problem is that anyone can access(download) the database. We have to prevent anyone else from downloading the database manually. The database will be hosted in an Apache web server with php. I can implement php codes to control access to the SQLite database (update file).

Is there any way in php to authenticate the Application we made in Android phone, so that only the users of this application can download the database directly in to their phone.

P.S. I have considered hard coding a password in to the application with which we can authenticate the download request. But then the password would by a static hard-coded piece of string. I'm wary about using a time rotating password algorithm since users in othet time zones or with out of sync clocks would not be able to update their database.

Answer 1

You can store a shared secret within the phones application and the server, then get every now and then a random key from the webservice to rehash and use it as credential:

Android Phone                           Server
---------------------------------------------------------------------
"SharedSecret"                          "SharedSecret"
getRandomKey()                  <----   "This is some randomKey currently valid"

Authentication:
sha256(RandomKey + SharedSecret) <--->  sha256(RandomKey + SharedSecret)