web services and phonegap : best practices

Question

Hi I am using phonegap for crossed plateform development (I use angularJS as JS framework). I want to use a web service to access to a list of positions from my database (mysql) on my website.

The problem is that the solution I found is not secure at all:

var xhr;
if (window.XMLHttpRequest)
    xhr =  new XMLHttpRequest();
else
    xhr =  ActiveXObject("Microsoft.XMLHTTP");

xhr.open("GET", "http://localhost:8888/MAMP_Site/0/test.php", true);
xhr.send(null);
xhr.onreadystatechange = function() {
    if (xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 0)) {
    console.log("Ready State4: Json Textual Data retrieved");
          handleData(xhr.responseText); // Json Textual Data
    }
};

function handleData(data)
{
var jsonData;
console.log("ReceivedData from WebService:"+data);
jsonData = eval('(' + data + ')');

$scope.lastUpdate = jsonData[0];
$scope.jsonData = jsonData[1];
$scope.$apply();
}

<?php
    header('Access-Control-Allow-Origin: *');
    header("Content-Type: text/plain");

    class UserInfo {
        public $id = "";
        public $name  = "";
        public $username = "";
        public $timestamp = "";

        public function __construct($_id, $_name, $_username, $_timestamp) {
        $this->id = $_id;
        $this->name = $_name;
        $this->username = $_username;
        $this->timestamp = $_timestamp;
      }
    }


    $db = mysql_connect('localhost:8889', 'root', 'root'); 
    mysql_select_db('myDbName',$db);
    $sql = 'SELECT id,name,username,timestamp FROM positions_test'; 
    $req = mysql_query($sql) or die('Erreur SQL !<br>'.$sql.'<br>'.mysql_error()); 
    $dataArray = array();

    while($data = mysql_fetch_assoc($req)) { 
        $dataArray[]= new UserInfo($data['id'],$data['name'],$data['username'],$data['timestamp']);
    } 

    //Last Modified Time
    $sql = "SELECT UPDATE_TIME FROM information_schema.tables WHERE  TABLE_SCHEMA = 'myDbName'AND TABLE_NAME = 'positions_test'"; 
    $req = mysql_query($sql) or die('Erreur SQL !<br>'.$sql.'<br>'.mysql_error()); 
    $data = mysql_fetch_assoc($req)["UPDATE_TIME"]; 

    $jsonDataArray = array($data, $dataArray);
    echo json_encode($jsonDataArray);
    mysql_close(); 
?>

Basically the PHP return a JSON (as text), and I get it (as text) in my JS. Then I evaluate it as a JSON.

The question

Security concern

As the application is made with cordova, all JS and Html source code can be viewed and so the URL of my php "web service". It means that anybody who have the adress can access to the Json File. Even if this data is public (in my case) I want it to be only accessible from my app (this way I can for instance avoid a bot to store all of this data and spam).

Token or user-agent

As there is no authentification for users is there any way for my webservice to know where the request come from?
I thought using a token to ensure that the request come from my app but once again as the source code can be viewed, anybody could see the token or the code to generate it.
Maybe using user-agent to know if it is accessed from a mobile device?

Other port than 80

Maybe it would be judicious to choose another port than 80 to connect to my web service, but how can I select my connexion port?

Best practice

The main point would actually be, what are the best practice for web services on phonegap (cordova) ? Should I use SSL, Https?
Should I use a real web service instead of a simple php page and XMLHTTPRequest? If yes, which one?
And of course how building properly and my web service ? 构建我的Web服务？

I know this is a long post, but I searched the web a for while and I found a lot of interesting stuff but nothing really concret on the best practices to build your web services for a phonegap application (with no user authentification)

Answer 1

You could try to obfuscate it, or aa lot of other things, but in the end you have to receive it in the client side and therefore there is nothing you can do to fully prevent him from reading your data, seeing your client side code or spamming your service.

The best you can do to make sure that the service is safe is: make sure the connection to the db does not allow writes, all the software involved is updated regularly and that the queries sent to your service have the syntax and content that you are expecting.