Best way to get data into an android app?

Question

Just a little background. I am a proficient asp.net/c#/sql server programmer who has been learning Android for less than 2 days.

We have an existing .net website which stores a list of locations in MS SQL server 2008 and I'm trying to create and Android application that gets these locations and displays them on a Google Map.

The question really is how to get the app connected to the SQL database. I'm guessing there are a few options....

1) Some kind of direct connection between the app and the remote DB.

2) Creating some kind of middle layer using asp.net that would convert the data into something more usable to the Java code in the android app (bear in mind I know virtually NO java), in exactly the same was that we have .net code which supplies JSON to our web apps.

3) Creating some kind of web service to just return XML results from the web server. No idea how I would secure this so that only the Android app could request the data though.

Any help or advice on best practice would be really useful. I think I just need pointing in the general direction of a good strategy and I can work it out.

Answer 1

No idea how I would secure this so that only the Android app could request the data though.

Your problem is bigger than that.

It does not relate to point (3) only, it relates to any possible approach you are going to choose.

• If you expose any kind of data in the Internet, it can be accessed with an authentication, or without one.
• If it's accessed with an authentication, its either one credential for each user, or one for many users.
• Once a user has a credential, it can use it however he likes, you can't restrict it any more than completely blocking the credential itself.

Now, you are going this way, ie one credential that is valid for all users, ie the application has got it and it uses it to get the data. The fact that the user himself might not now it is irrelevant.

Remember: security through obscurity just doesn't work. Obscurity is only "one more annoyance" if you want to break, it's like a dark room with valuables inside: the darkness doesn't help, but it's no excuse for not having a lock. And someone is going to steal something soon, it's just a matter of time.

Answer 2

Your security problem is one of network infrastructure and protocols, not of Android. OAUTH is emerging as a standard way of doing this, and using Google as an example, perhaps a better analog would be access to Google Docs?

more here:

• http://code.google.com/apis/accounts/docs/OAuth.html
• http://oauth.net/code/

Actually implementing the handshake, etc could take a bit of work depending on just how secure you'd like to make it. Again, this isn't really an "Android thing" so much as it is an architectural challenge first, and once you've made some of those architectural decisions you can actually implement what you've decided to do on Android or anything else.

Conceptually, exposing your data through web services and consuming them down the line from your UI is fine. You've just got to nail down what your security strategy will be, OAuth or otherwise.

Answer 3

Native LDAP support for Android could arrive pretty soon( Lots of people want it ) , that could help for security (ie using your Exchange Server to validate different user credentials instead of using one for the app)

In the meantime, it is true that the data might be more accessible than it should. Is it sensitive?

Answer 4

You cannot actually connect to a remote DB, especially if it is a MS SQL database (android can only deal with SQLite).

Your best option, knowing that you want to secure your data, is to build a Java Interface on the server side, who would have access to your database.

Then, you can do some RMI or you can use sockets to send and receive data (including encrypted data).

Answer 5

Beneath your problem securing the data the things I would do to solve your task would consist of the following steps:

• Use a json web service to communicate between the mobile device and your db. A db connection would have to be reestablished every time you access the db because of the flaky network connection of mobile devices. The web service nicely wraps a single question to the db.
• Use google gson to parse the json into java data objects to handle them in the app.
• Create a Mapview with your own overlay to display the items on the map.

The security thing is a problem I thought about a lot. If you want to restrict the access to the database you need the app to have some kind of key to authenticate at the web server. The problem is that somebody could just open up you app and look for this key and then remodel the traffic used in you app. You can use the key to do a https connection to your web api this prohibits other from tapping into the network connection but the person owning the phone always can access the key.

You always can make it more difficult for the attacker but you can always fake being a phone app because the auth tokens need to be on the phone. Some ways to make it more difficult are:

• encrypt the key inside your application this makes it harder for fast searches inside your class files and easy extraction of the key. But is only one more layer of hiding, because the key to decrypt has to be in your app as well.
• generate a second key based on the phone data, add a hash of the imei, the phone number etc. The problem is that this data has to be initially registered at the server, therefore it can simply be faked.

If you simply want your data to be secured from harvesting through a bot make the server only respond to request that seem to come from a mobile phone. Block single IPs that make hundreds of calls to the web service etc.