3

I have created an Android app which sends data to a web service. Right now the user sends his test results (test id, test name, test time, and user ID). The problem is that I send the data from the client to the web service in JSON; the web service can be accessed in the browser. However, an unauthorized user could use his browser to call the webservice method for inserting the score. How can I solve this problem? I need to let only the Android client send the data to the webservice.

Mark
  • 34,390
  • 9
  • 85
  • 134

2 Answers2

1

In general, this can't be done. If the user has access to the app, they can reverse-engineer it and undetectably emulate everything it does.

What you can do is put obstacles in their path. Simply transmitting a salted hash alongside the data will stop 99% of would-be attackers; if you're willing to go to greater effort, using public-key cryptography to encrypt and sign the message being transmitted will stop almost everyone.

This won't stop or even significantly slow a professional attacker, but if your primary threat model is "college student majoring in art history" or "casual Facebook user", it's more than adequate.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • As this is the correct answer let me put here how to do it correctly - approach the application like it is a web browser. It doesnt need direct writing access to the database like a super user, instead establish an authentification system where some people can modify things and the public cannot. – James Cameron Dec 18 '15 at 14:30
-3

Call the sendPostRequest(String username, String pass) method with parameters. You can call this method from the UI thread, the request will be sent from a different thread (AsyncTask is embedded).

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
kumar
  • 1