stackoom
  简体   繁体   中英

How can I prevent anyone from communicating with my server except my Android app

 原文  2013-09-25 13:19:23       java/ android/ security/ google-app-engine/ rest

Question

I got a rest server on Google app engine and I want only my app to to be able to make calls to my server.

Is there a security option I can turn on on Google app engine that will faciliate this? if not than what can I do?

I know you can restrict access to some pages with the follwing but i am not sure it can be applied to REST calls 

<security-constraint>
        <web-resource-collection>
            <url-pattern>/cron/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
</security-constraint>

6 answers

solution1
 2  2013-09-25 15:05:01

Generate privatekey/publickey pair in openssl. In app distribution distribute public key. Have a custom http header called appName and encrypt the appname (a unique constant unpredicatable bit large number) and send it. Ensure your code is obfuscated so that no one is able to view the appname. Then since you are encrypting even if someone traces the http calls, the appname will be visible as encrypted value. At your server end decrypt the appname using private key. Hope this helps.

solution2
 1  2013-09-25 16:23:36

(Three answers already, and all with different ideas then my own on this matter - so a good question I think.)

It was my understanding that the recommended/canonical way of doing this (for google) is OATH2. Google has recognized that OATH2 is tricky, and one of their attempts to simply it is cloud endpoints, along with Google Play Services for Android clients. The instructions for this are here:

https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls

Note that while the docs emphasize User authentication, it also supports app authentication.

What I don't know (but would like to) is how to the same thing for a non-endpoints app, so I guess this is just a partial answer.

solution3
 1  2013-09-25 21:05:57

Short answer is, you can't, at least not completely securely.

https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data

Long answer is, you can make it difficult for hackers. Usually this works by embedding a key in the application, obfuscating it, and obfuscating the code for getting the key. This doesn't make it impossible for someone to find the key, just harder.

One of the stronger consumer systems out there is Microsoft's Silverlight DRM, you might want to investigate how that works: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight

solution4
 1  2013-09-26 22:41:36

You could make all your REST services require an Access Key & Secret when accessed. The App could then store these under the configuration settings and are left blank when shipped to the App store.

Then when you download the application you can go into the configuration settings and insert the Key & Secret that you've setup for your REST Service. (This way it prevents anyone from accessing services, since you manually add the Key + Secret that are used)

I would recommend setting up an IP Log of all unauthorized access attempts on the server so you could create a blacklist if someone is spamming your web service with invalid access attempts.

And then to top it all off you could do this all over HTTPS.

solution5
 0  2013-09-25 13:39:27

There are few options:

  • Firstly you could limit by IP. This is not a good way if your android app gets dynamic IP every time.
  • Secondly you can use some algorigthm on both server and client which only you known. Server could send the data to client, client runs that algorithm and modify the data. Then sends back to server. Server also runs that algorithm and checks the response. If the response is equal to what server has calculated, then server knows that client is authorized. In that case intial data which sends from server should be different everytime.
  • Thirdly you can use some publicly available hashing functions instead of your own algorithm. The idea is the same. Server use same hashing function and checks if response from client is identical to its calculation.

solution6
 0  2013-09-25 14:11:28

The canonical way to do this is using SSL and client certificates. I'm not sure whether App Engine supports this.

Do be aware, however, that if you're distributing your APK then you can't rely solely on anything distributed with the APK -- it would be possible (if rather unlikely, depending on how high-profile you are as a target) to extract whatever information is required to spoof the application.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I stop my android app from force closing when it cant connect to my server? How can I prevent Android from cropping my ImageView? How do I prevent my Android app from resetting every time my phone sleeps? Android : How can i Auto Log out from my app when i change my status to false in Sql server? How can i plot the longitudes and latitudes sent from my android app to tomcat server and plot on the google maps there? How can i plot the lat ,lng sent from my android app to tomcat server and plot on the google maps there? Communicating with Server - Android App How can I make my API key hidden so that anyone decompling my app wouldn't see it? How can I prevent users from using fake emails, which is causing my mail server to fail? How can I resolve memory leaks and prevent my app from crashing using fragments?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM