Just a little background. I am a proficient asp.net/c#/sql server programmer who has been learning Android for less than 2 days.
We have an existing .net website which stores a list of locations in MS SQL server 2008 and I'm trying to create and Android application that gets these locations and displays them on a Google Map.
The question really is how to get the app connected to the SQL database. I'm guessing there are a few options....
1) Some kind of direct connection between the app and the remote DB.
2) Creating some kind of middle layer using asp.net that would convert the data into something more usable to the Java code in the android app (bear in mind I know virtually NO java), in exactly the same was that we have .net code which supplies JSON to our web apps.
3) Creating some kind of web service to just return XML results from the web server. No idea how I would secure this so that only the Android app could request the data though.
Any help or advice on best practice would be really useful. I think I just need pointing in the general direction of a good strategy and I can work it out.
No idea how I would secure this so that only the Android app could request the data though.
Your problem is bigger than that.
It does not relate to point (3) only, it relates to any possible approach you are going to choose.
Now, you are going this way, ie one credential that is valid for all users, ie the application has got it and it uses it to get the data. The fact that the user himself might not now it is irrelevant.
Remember: security through obscurity just doesn't work. Obscurity is only "one more annoyance" if you want to break, it's like a dark room with valuables inside: the darkness doesn't help, but it's no excuse for not having a lock. And someone is going to steal something soon, it's just a matter of time.
Your security problem is one of network infrastructure and protocols, not of Android. OAUTH is emerging as a standard way of doing this, and using Google as an example, perhaps a better analog would be access to Google Docs?
more here:
Actually implementing the handshake, etc could take a bit of work depending on just how secure you'd like to make it. Again, this isn't really an "Android thing" so much as it is an architectural challenge first, and once you've made some of those architectural decisions you can actually implement what you've decided to do on Android or anything else.
Conceptually, exposing your data through web services and consuming them down the line from your UI is fine. You've just got to nail down what your security strategy will be, OAuth or otherwise.
Native LDAP support for Android could arrive pretty soon( Lots of people want it ) , that could help for security (ie using your Exchange Server to validate different user credentials instead of using one for the app)
In the meantime, it is true that the data might be more accessible than it should. Is it sensitive?
You cannot actually connect to a remote DB, especially if it is a MS SQL database (android can only deal with SQLite).
Your best option, knowing that you want to secure your data, is to build a Java Interface on the server side, who would have access to your database.
Then, you can do some RMI or you can use sockets to send and receive data (including encrypted data).
Beneath your problem securing the data the things I would do to solve your task would consist of the following steps:
The security thing is a problem I thought about a lot. If you want to restrict the access to the database you need the app to have some kind of key to authenticate at the web server. The problem is that somebody could just open up you app and look for this key and then remodel the traffic used in you app. You can use the key to do a https connection to your web api this prohibits other from tapping into the network connection but the person owning the phone always can access the key.
You always can make it more difficult for the attacker but you can always fake being a phone app because the auth tokens need to be on the phone. Some ways to make it more difficult are:
If you simply want your data to be secured from harvesting through a bot make the server only respond to request that seem to come from a mobile phone. Block single IPs that make hundreds of calls to the web service etc.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.