How to protect against request intercepting and parameter-tampering?

Question

My problem is that I made an app and I am making PHP Requests. I just realized that you can sniff everything on Android with "Packet Capture".

How can I make my app more secure? I thought about working with checksums or add something like a secret key which changes every time and I decrypt this key on my server somehow.

Does anyone of you have an idea how to protect against sniffing or how I can make my request more secure? (I am using basic authentication now but this isn't good)

I am new in security.

To make it more clear: The user itself is sniffing the request. It is a game and the user is able to sniff everything (UserID, Score etc) and send a request with this parameters and set the score to 99999

You can never truely trust the client, you must validate on the server. — Alexander O'Mara, Apr 27 '16 at 21:31
@Godlike http://security.stackexchange.com/questions/120640/securely-sending-packets-without-them-being-spoofed?lq=1 same exact situation. — Robert Mennell, Apr 27 '16 at 22:01
You can do this using TLS and certificate pinning. But then what will you do when someone *modifies* your client so that you get 1000 points instead of 1 point for doing things? — user253751, Apr 28 '16 at 00:19

score 4 · Answer 1 · answered Apr 28 '16 at 03:45

You can not stop user from intercepting the traffic that your application generates. There're following alternatives that you can do for making your application works correctly :-

1) User Secured Connection(SSL/TLS). Although users on the same network will be able to view the network traffic generated, but they'll not able to figure out any meaning out of it, as it's encrypted.

2) For disallowing parameter tampering in your application, perform strict and robust server side validations. Use indirect-reference maps, to disallow insecure direct references to our objects. eg. Instead of UserId as parameter, set any random string "adasdfasdfasdf" as parameter, which will stand for UserId and make this parameter generated randomly everytime, the user requests the page. This'll help you to avoid parameter tampering to a great extent.

You can get more information about it at https://www.owasp.org/index.php/ESAPI_Specification#AccessReferenceMap.3CKey.3E

score -1 · Answer 2 · answered Apr 28 '16 at 03:47

It seems like you are asking about -CSRF (Cross Site Request Forge). This is a vulnerability where server cannot differentiate if the request has been originated by authenticated user himself or a forged request. you can implement a secure token

To prevent sniffing packets across the network ,implement HTTPS (TLS 1.2)

How to protect against request intercepting and parameter-tampering?

2 Answers2