1

I've built an app that sends an JSON array via POST on a HTTP Request from Android to PHP server.

My question is how to make this secure? How can I make authentication in an secure way on the server side?

Send the data with SSL connection is enough? Or should I encrypt it with RSA or something?

Improve this question
7
  • 2
    Suggestion from my point, send device's IMEI with the JSON Array, and that IMEI , must be present in the db resided on the server. If both matches then it is valid JSON array else not. Commented Jun 18, 2012 at 10:44
  • can explain more? What kind of guarantees are you looking for? Do you want username&password-based authentication? Commented Jun 18, 2012 at 10:46
  • Yes, I want to make an username and password based authentication and Lucifer's can complement it to be more secure. Commented Jun 18, 2012 at 10:52
  • Is it safe to send username & password and imei in the same request or should I authenticate the user first and generate a "key" and make an second request with the JSON array plus the generated key? Commented Jun 18, 2012 at 10:54
  • I think it's better to send username&pass&imei (you can log bruteforce attempts on the server and ban imei, for example) Commented Jun 18, 2012 at 10:55

2 Answers 2

Reset to default
1

It depends on what you are trying to protect, SSL will prevent anyone from listening in on the communications, you dont need to add other encryption on top.

If you what to protect the web service itself from unauthorized use then you need users to register and send the username & password(or better password hash) to connect, you can then either use the password for every request or generate a key which will be sent with every request to authenticate the user.

The IMEI idea is not too great since you would first need to get everyone's IMEI somehow a huge pain if you have more than 1,2 users, and even then this is forge-able as your Android app can be taken apart and made to serve any IMEI.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

IMEI is great, because the devices will be given by my company to the sales mans and the application will be installed on that devices. My doubt now is, should I sent all information in one request (user, pass, imei and json) or make a request for authenticate and send back a key to use on the second request that sends the JSON?
Doesn't matter the 2 steps don't really add anything as long as its all over SSL. If its internal app then you can manage the IMEI but remember that an Android App can be taken apart and changed to its really not that much extra protection.
1

Considering using IMEI as Lucifer suggested I would do it this way:

  1. open an Android app - if I'm not logged in the app will show me some LoginActivity
    1. I put in the login and password and click on "Log In" button
    2. within Android app You hash the password and send an HTTP post request to the server that contains login, hashed password and imei
    3. Server part will try to login that user (and log any unapropriate behavior or input) and return true or false (depends on whether the user could be logged in or not)
    4. store the login information somewhere within the app so that user do not have to log in every time he closes and reopens the app - while app is running in the background (until dalvik decides to kill it) the user should be considered as logged in...
  2. If the user is logged in, carry on to use the application

Use of SSL (HTTPS) is a must in this case...

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.