I created a webservice on an apache PHP server and I want to be able to call that webservice within java without using an httprequest.
My initial idea was to use a query string to pass an API key to update a database record. But than I smacked my head and realized a user could just decompile my code and see the request and use it in any browser. Is there a secure way of doing this?
I am trying to track statistics and if the user got a hold of the httprequest they could just go into a browser and goto the URL to mess with the numbers.
The request is just query strings. Like www.example.com?apikey=aausy7556ze&stat1=this&stat2=that
I want a way that this request either doesn't work in browsers or somehow do this without an httprequest. Hope that makes sense.
Let's explore few options that doesn't necessarily involve obfuscating your code (though it always help to do so):
Now, of all three, #2 is the easiest and probably be enough for your purpose. Number 2 can also be combined with #3 for added security. Together that should be enough from preventing the user to access your services from the browser.
What are you trying to hide exactly? I think I understand that you just want to make sure the traffic is encrypted. If you are writing the client and the service you don't need to use SSL, in fact it is wasteful to do so. Just keep a secret key that both the server and client know about, then encrypt the messages with a symmetric algorithm (eg AES). You can also add some checks to the plain text before you encrypt to make sure it wasn't tampered with (eg add a timestamp, message hash etc etc)
I think you are saying is that your server can't trust the client to provide correct values, unless it is your own program. So you want a method to ensure that it's your own client that is calling the service and not another malicious client. You are afraid that any authentication method you embed in your client can be reverse-engineered and the malicious client can then use the same authentication method to pretend to be the legitimate client.
I think all you can do is throw in some obscurity (like you are trying to do by hiding the URL parameters) but there is no real solution to this problem. All the usual security solutions assume that the authentication credentials will be kept off the hands of malicious users. But in your case you cannot trust the client to keep the authentication credentials safe.
If someone is decompiling your java, all bets are off. The best you could hope for there is that an obfuscator would make it sufficiently difficult to read your decompiled code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.