Android, how to do security in JSON?

Navigation
3

Use Volley to do POST request to a url that returns user data ... But to see this data, creating a simple html form with action set for the url 192.168.0.101/project/user.php. Hi, I have a JSON application that I want to use. NOTE: I used header ("Location: www.teste.com"); and redirects without showing the JSON to the possible "hacker" BUT does not list the data in the app

PHP: 

<?php
require_once('config.php');
require_once 'classes/BD.class.php';
BD::conn();
if(isset($_POST['user']) && $_POST['user'] != ""){
    $user = (int)$_POST['user'];
    $searchPhotos = BD::conn()->prepare("SELECT * FROM 'photos' WHERE 'id_user' = ? ORDER BY 'id' DESC");
    $searchPhotos->execute(array($user));
    $resultPhotos = $searchPhotos->rowCount();

    $searchQtdFollowers = BD::conn()->prepare("SELECT id FROM 'follows' WHERE 'user' = ?");
    $searchQtdFollowers->execute(array($user));
    $resultFollowers = $searchQtdFollowers->rowCount();

    $searchQtdFollowing = BD::conn()->prepare("SELECT id FROM 'follows' WHERE 'follower' = ?");
    $searchQtdFollowing->execute(array($user));
    $resultFollowing = $searchQtdFollowing->rowCount();         

    $array = array(
            "photos" => $resultPhotos,
            "followers" => $resultFollowers,
            "following" => $resultFollowing
            );
    $result[] = array_map("utf8_encode", $array);
    while($data = $searchPhotos->fetch(PDO::FETCH_ASSOC)){
        $array = array(
                "photo" => PATH.$data["photo"],
                "date_creation" => date('d/m/Y', strtotime($data["date_creation"]))
                );
        $result[] = array_map("utf8_encode", $array);
    }
    header('Content-type: application/json');
    echo json_encode($result);
}
?>
    
asked by anonymous 29.08.2016 / 03:52

2 answers

1

There are several security methods for this case, however a basic method, which is the least to do, would be to use an encrypted key at both ends of the connection. In this first case, using HTTP Get request and passing as your key parameter through your application. Example: 

http://192.168.0.101/projeto/user.php?chave=mistersatanderrotoucell

In this case, your application would send an encrypted data through the parameter chave , whereas mistersatanderrotoucell would already be an encrypted data.

To retrieve this value in PHP, we use the following lines of code: 

echo $_GET['chave'];

Therefore, it would be necessary to check whether the received key is correct or not. This way: 

$minha_chave = mistersatanderrotoucell;

if($_GET['chave'] == $minha_chave){
    //exibe json
} else{

    echo "chave incorreta";
}

Or, since you are already using HTTP POST to get the value of the user attribute, you would have to add one more condition to receive the 'key' this way: 

if(isset($_POST['user']) 
&& $_POST['user'] != "" 
&& $_GET['chave'] == $minha_chave){
    //Exibe json
} else{
    echo "chave incorreta";
}
  

POST is more secure than GET because information passed by   users is never visible in the URL.

It will depend on your creativity. Good luck!

    
29.08.2016 / 05:04
1

So I understand that you want to: When it is mobile, display json, if it is a desktop browser it redirects to another URL, if it can be done this way 

echo $_SERVER['HTTP_USER_AGENT'] . "<hr />\n";
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']) . "<hr />\n";

$isWindows = preg_match('/windows phone/', $userAgent)>0;
$isDroid = preg_match('/android/', $userAgent)>0;
$isIOS = preg_match('/iPad|iPhone|iPod/', $userAgent)>0;
$isMobile = $isWindows || $isDroid || $isIOS;

if($isMobile){
    header('Content-type: application/json');
    echo json_encode($result);
}else{
    header("Location: www.teste.com");
}

This has some flaws, mainly because the user-agent can be manipulated, if your data is extremely stealthy, you need another embroidery.

    
29.08.2016 / 15:01
Creating Models that derive IdentityUser or use the AspNetUsers table Execute a SELECT JOIN with condition for different tables