How to secure webservice so that only my android app can use my webservice

If you are able, you should implement the use of HTTPS in your app and this could solve many security problems. Create a self-signed server SSL certificate and deploy on your web server with the keytool in the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. oReilly : Application Security for the Android Platform or If it's only your client and your server, you can (and should) use SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.PHP can receive data via POST or GET out of your site and even the internet browser. One of the methods used to do this is by curl. You must verify the information received by POST or GET in your PHP, this language has much ability to solve these "problems"; Take a look at this part of the PHP official documentation.

Suppose you're building a login system: Also you can add in the login page place a hidden element with secret unique code that can happend only once, save this secret code in session, so, the loging script look in session for this code, compare with what was posted to the script, should same to proceed.

And, if you want to get the IP address of your visitors:

function getRealIpAddr() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; } 

you want want to look up here: Encrypt data within mobile app and send to web service and Web services: how prevent illegal accesses

Make sure you request in the POST request an extra field to check for sender's id. In this field you could use a hash sequence, like one generated by a md5 algorithm.

So, in your Android App you would generate hash string using an identifier and a general string, like so:

$identifier='Here comes an understandable unique Id for your App user'; $common_sequence='Here comes random sequence, the same to be used server-side'; $hash_sequence=crypt($identifier . $common_sequence); 

In your POST you have 2 fields for this:

• Hash_sequence
• UserId

In your server you can re-generate the hash_sequence as you have common_sequence already, and also the userId. Check if they match.

This solution, however, has some weak points, specially the fact that one could use the hash_sequence several times. You could consider inserting a time factor to the generating sequence, for example, like yyyymmddHHmm so the sequence would change each minute.

Crypt() is a function that generates your hash_sequence in PHP. You would need however a way to generate a similar sequence in your App. In this case, a simple MD5 hash might be enough, and there must be a MD5 generator native in Android Dev language.

Best wishes,