How to work securely on an Android+API?

Asked

Viewed 1,046 times

3

I need to develop an API that will receive data from a json user via $_GET with PHP, which will check the data and return a true or false value to the Android application.

I am currently using AES encryption to send json via $_GET, where the API will use the key to decrypt and return the required data, but I believe it is not a very secure system, because any user could access the URL of the API directly from the browser (Although it can not use it because it does not have the Key).

I would like to know how I can improve this system in terms of security.

/* Obs */

Currently as my application needs to encrypt the data and send to the API, so that after the reverse occurs, I save an encryption key in a variable within the APK, which is not really something safe because the application can be broken, and with the source code available anyone will have access to the API key.

php android json api
  • 1

    Implementing a security system depends a lot on the problem and the "fear" you have. What exactly is the danger? What do you need to avoid? The interception. of the data sent? The interception. of the answer? Modification of the answer? Of the data?

  • A dethale: with a bestial xdaAutoTool type, it takes 2 minutes to break an APK and with Jdecomp it takes 2 more minutes to break the JAR and have the source code... This means that if you have the "key" inside your code, the security level and but less than 0.

  • That’s what I’m talking about, Peter. Currently my problem is that the API is completely accessible through the URL by the Browser, such as http:/host/Apiserver/server.php? query=DADOS_CRIPTOGRAFADOS E how the API receives the encrypted data to decrypt with AES, perform the request (User login for example) and then return the encrypted values, anything that is added to the query parameter of the URL will return some value whatever will not mean anything if the key does not match, but if the user has this key will be able to rescue any user data.

  • Point 1, you need to send using POST. Another point, if I understand well, what do you want to do and the identification about PHP? I have the application, I will connect in PHP and PHP will know who I am. That? The main question is whether you want to identify the user (then a person who can enter the password) o se vc quer identificar o applicativo Android (so without taking care of who uses).

  • In case, I want to identify the user who is accessing and logged in the form, this form will do the validation through the API.

  • The key could come together in the GET/POST response, so it wouldn’t be necessary to store it in the app, whether it comes encrypted or not, it’s another story. You can’t guarantee 100% as has been said in other questions, but you can do it in a way that takes more time that the "Cracker" wants to spend in their attempts, it is worth using everything in its reach to make it difficult. You could even fragment the decryption key, to confuse more. Use SSL whenever you can, in all transactions. :)

Show 1 more comment

1 answer

2


One of the additional implementations you can use is authentication HTTP, so the user will be asked to enter a username and password, wherever he accesses your API.

I usually do this using the files .htaccess and .htpasswd.

In the .htaccess, which is at the root of your API, has something like this:

AuthType Basic
AuthName "Minha API"
AuthUserFile /path/api/.htpasswd
Require valid-user

And in the archive .htpasswd you own the users with access permission. This file you can leave it out of your directory API, naturally where access is not public. Here has a tool that you can generate this line for the file, but an example would be like this:

paulo:$apr1$BrHTIveu$TfxuDimtsqm/LX6w9GL1f1

That is, only the user paul you are allowed to authenticate with the password "password" by the above example.

Done that, on the side of Android, you need to add this information to the header of your request. Our form of authentication is BA (HTTP Basic Authentication), so at this point we have:

connection.setRequestProperty("Authorization", "Basic " + authBase64);

Whereas connection I took as an example an implementation with the class Httpurlconnection and authBase64 is the username and password on Base 64 thus: usuario:senha. Example:

String authBase64 = Base64.encodeToString("paulo:senha".getBytes(), Base64.DEFAULT);

That’s basically it, one of the ways you’d have to add one more step of access security to your API.

I hope I’ve helped.

  • 3

    Yes, a good extra step, in addition to this can also stop using GET and use POST with more encryption and use SSL.

  • If the key to "inside" the code of the Android APP, cryptography the HTTP will change nothing. It takes 10 minutes to break the code of an Android APP, find the key and use.

  • Another important point is to use something like Mcrypt to encrypt the sent and received data, so no Sniffer smells data from your API.

  • @Peter Being so, nothing that is done is 100%. As I said, it is one of the implementations to go decreasing the chances. Accessing the direct address has much more possibilities than someone breaking an APP code (and know how to do this).

  • What would be the best way to save this encryption key? since I can’t leave inside the APK.

  • 1

    @Paul to break an Android code, Google and his friend. Has doc and has video showing how to do. About Raphael’s comment, the question gives the answer. Raphael asks "how best to keep that key". The good question is "why keep the key?" ;)

  • If someone can access the application code and find the password and connection method with the API there is no reason to use encryption anyway, then how to ensure that ONLY the application has access to the API information?

Show 2 more comments

Browser other questions tagged php android json api

You are not signed in. Login or sign up in order to post.