Home > Mobile >  Android secure backend-server connection
Android secure backend-server connection

Time:12-31

I'm writing an Android app that talks with my php backend server. I want to give sha1 fingerprint to server everytime when i make a request, in this way server will know it's my app and will answer the request. But as you know, apk datas will reverse engineered easly and the sha1 fingerprint can be discovered and can be hardcore written. How can i really be sure that request comes from my app?

Thanks in advance

edit: to that s.. o. a b.... that dislikes my question. please come here and write why you disliked my question. thanks

CodePudding user response:

You can't really do it as you don't have control over the application nor the network traffic. But here is some tricks :

  • Put HTTPS in the server so network traffic cannot be spoofed easily with an external app.
  • Create a HMAC from your server or SSL certificates (need an authority CA) and pass it to the application. Send the HMAC only if you have a specific MAC or PC id or IP address, you can check with files and so on that everything is okay but with reverse engineering, it can be reverted. You can use hash_hmac in PHP.
  • You should not keep sensitive information in your application but rely on your server-side for all sensitive informations and check.
  • If you need some data to be kept on the application and sent back afterwards, you can also use PGP keys to sign or encrypt data and then send it back to the sever, verify and/or decrypt it. You can do with GnuPG module or use pass_thru to pass shell args. As the application does not have access to keys, your data cannot be altered nor decrypted.
  • Related