Android, how to do security in JSON?

Asked

Viewed 360 times

3

Use Volley to make POST request to a url that returns user data... But you can see this data, creating a simple html form with action set to the url 192.168.0.101/project/user.php . Ai shows all the JSON... how to prevent the guy to see this data without harming the app when listing this data in recyclerview? NOTE: I used header("Location: www.teste.com"); and redirect without showing the JSON to the possible "hacker", BUT does not list the data in the app

PHP:

<?php
require_once('config.php');
require_once 'classes/BD.class.php';
BD::conn();
if(isset($_POST['user']) && $_POST['user'] != ""){
    $user = (int)$_POST['user'];
    $searchPhotos = BD::conn()->prepare("SELECT * FROM `photos` WHERE `id_user` = ? ORDER BY `id` DESC");
    $searchPhotos->execute(array($user));
    $resultPhotos = $searchPhotos->rowCount();

    $searchQtdFollowers = BD::conn()->prepare("SELECT id FROM `follows` WHERE `user` = ?");
    $searchQtdFollowers->execute(array($user));
    $resultFollowers = $searchQtdFollowers->rowCount();

    $searchQtdFollowing = BD::conn()->prepare("SELECT id FROM `follows` WHERE `follower` = ?");
    $searchQtdFollowing->execute(array($user));
    $resultFollowing = $searchQtdFollowing->rowCount();         

    $array = array(
            "photos" => $resultPhotos,
            "followers" => $resultFollowers,
            "following" => $resultFollowing
            );
    $result[] = array_map("utf8_encode", $array);
    while($data = $searchPhotos->fetch(PDO::FETCH_ASSOC)){
        $array = array(
                "photo" => PATH.$data["photo"],
                "date_creation" => date('d/m/Y', strtotime($data["date_creation"]))
                );
        $result[] = array_map("utf8_encode", $array);
    }
    header('Content-type: application/json');
    echo json_encode($result);
}
?>
  • your system has a login or you want to limit the view of data only to people who are using your application?

  • @Nicolasbontempo has a login, but it also has data search through POST, if the guy access/search.php in the html form and send such value to a parameter, he sees the JSON... I want all these JSON seal accessed only in the application and not by browsers

2 answers

1


There are several security methods for this case, however a basic method, which is the least you could do, would be to use an encrypted key at both ends of the connection. In this first case, using HTTP Get request and passing as parameter your key through your application. Example:

http://192.168.0.101/projeto/user.php?chave=mistersatanderrotoucell

In this case, your application would send an encrypted data via the parameter chave, whereas the mistersatanderrotoucell would already be an encrypted data.

To recover this value in PHP, we use the following lines of code: 

echo $_GET['chave'];

Therefore, it would be necessary to make a check confirming whether the received key is correct or not. This way:

$minha_chave = mistersatanderrotoucell;

if($_GET['chave'] == $minha_chave){
    //exibe json
} else{

    echo "chave incorreta";
}

Or as you are already using HTTP POST to receive the attribute value user, would give you to add one more condition to receive the 'key' in this way:

if(isset($_POST['user']) 
&& $_POST['user'] != "" 
&& $_GET['chave'] == $minha_chave){
    //Exibe json
} else{
    echo "chave incorreta";
}

POST is safer than GET because the information passed by users is never visible in the URL.

 

It will depend on your creativity. Good luck!

  • vlw, thank you :)

  • @Jonathansilva for nothing, need give a shout here!

1

From what I understand you want: When mobile displays json, if it’s a desktop browser redirects to another URL, if it can be done that way

echo $_SERVER['HTTP_USER_AGENT'] . "<hr />\n";
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']) . "<hr />\n";

$isWindows = preg_match('/windows phone/', $userAgent)>0;
$isDroid = preg_match('/android/', $userAgent)>0;
$isIOS = preg_match('/iPad|iPhone|iPod/', $userAgent)>0;
$isMobile = $isWindows || $isDroid || $isIOS;

if($isMobile){
    header('Content-type: application/json');
    echo json_encode($result);
}else{
    header("Location: www.teste.com");
}

This has some flaws, mainly because the user-agent can be manipulated if your data is extremely sensitive needs another embroidery.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.