Sending parameters from Android AsyncTask to a remote server

Question

I have set up the code to call a remote server from Android app to a remote server. Here is the code:

private class DownloadWebPageTask extends AsyncTask<String, Void, String> 
{
        @Override
        protected String doInBackground(String... theParams) 
        {
            Log.d( "Inner class: " , "Doing stuff in background" );

            String myUrl = theParams[0];
            String myEmail = theParams[1];
            String myPassword = theParams[2];

        Log.d( "Inner myURL: " , myUrl );
        Log.d( "myEmail: " , myEmail );
        Log.d( "myPass: " , myPassword );

        ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();  
        postParameters.add(new BasicNameValuePair("username", myEmail ));  
        postParameters.add(new BasicNameValuePair("password", myPassword ));            

        String response = "";

        DefaultHttpClient client = new DefaultHttpClient();
        HttpGet httpGet = new HttpGet(myUrl);

        try 
        {
                HttpResponse execute = client.execute(httpGet);
                InputStream content = execute.getEntity().getContent();

                BufferedReader buffer = new BufferedReader(
                        new InputStreamReader(content));
                String s = "";
                while ((s = buffer.readLine()) != null) 
                {
                    response += s;
                }

                Log.d( "After call, response: " , " " + response);
            } 
            catch (Exception e) 
            {
                Log.d( "Exception: " , "Yup");
                e.printStackTrace();
            }

        return response;
    }


    @Override
    protected void onPostExecute(String result) 
    {
        Log.d( "Post execute: " , "In the post-execute method" );
        //textView.setText(result);

        if ( result != null && result == "Ok")
        {
            Log.d( "Post execute: " , "OKKKK :)" );       

        }
        else
        {
            Log.d( "Post execute: " , "NOOOT  OKKKK :)" );              
        }
}    

}

This is a request to be authenticated and logged in. Right now as you can see, I am collecting a login and password from the user, but not sure how to best attach that to the request URL.

I can just do something like urlString + "?login=login&pass=pass but I was wondering whether there is a "good practice" way of doing this in the Android environment? Also, my url is not htpps - is there a way to make it secure?

Thanks!

Answer 1

Had to answer just to comment on Heesham Saeed's "answer" (which is actually a directive to screw any sense of security your App may ever have):

A mobile phone (android included) might be a smokescreen to simple-minded people but it is NOT a black-box that someone with technical ability cannot see into. The URL sent by the phone can be seen by the User if the User inspects, say, proxy logs. The URL can be seen by strangers who inspect the logs of ANY proxy that the HTTP traffic is routed through. It's gross misunderstandings like Hesham's + the putting forward of that misunderstandings to newcomers to development that cause vulnerable Apps to be made.

Next...

MD5 is NOT encryption! MD5 cannot be decrypted! Holy shit, get a clue before you talk like you have a clue! MD5 is a one-way hashing algorithm. Any MD5 hash can be reversed using Rainbow Tables IFF you have enough time and CPU power (and whose to say someone/something doesn't have both). Same goes for all hashing algoithms and encryption algorithms, actually - but MD5 is one of the least trivial and least time+CPU costly to reverse. MD5 is NOT a suitable means for securing data that is transmitted via unencrypted channels NOR is it suitable at all for extraction of the data on the receiving end.

Answer 2

This is not secure. Your URL is passed through the internet most likely through several hops unencrypted. It is trivially simple to sniff these requests. The simplest way is to send this data in the message body using HttpPost and use HTTPS. If you must use HTTP, try digest authentication explained here: how to use Digest authentication in android?