How to work safely on an API + Android?

3

I need to develop an API that will receive the data of a user in json via $ _GET with PHP, which will do the verification of the data and return a true or false value for the Android application.

I am currently using AES encryption to send json via $ _GET, where the API will use the key to decrypt and return the required data, but I believe it is not a very secure system, since any user could access the URL of the API directly from the browser (although you can not use it because you do not have the Key).

I'd like to know how I can improve this system in terms of security.

/ * Obs * /

Currently as my application needs to encrypt the data and send it to the API, so that the inverse happens afterwards, I keep an Encryption Key in a variable inside the APK, which is not really safe because the application can be broken, and with the source code available anyone will have access to the API key.

    
asked by anonymous 17.10.2014 / 19:09

1 answer

2

One of the additional implementations you can use is HTTP authentication, so the user will be prompted to enter a username and password, / em>.

I usually do this using the files .htaccess and .htpasswd .

No .htaccess , which is at the root of your API , has something like this:

AuthType Basic
AuthName "Minha API"
AuthUserFile /path/api/.htpasswd
Require valid-user

And in the .htpasswd file you have the users with access permission. This file you can leave out of your API directory, of course where access is not public. Here has a tool that you can generate this line for the file, but an example would be like this:

paulo:$apr1$BrHTIveu$TfxuDimtsqm/LX6w9GL1f1

That is, only the paulo user is allowed to authenticate with the password "password" by the example above.

On the Android side, you need to add this information to the header of your request. Our form of authentication is BA ( HTTP Basic Authentication ) , so at this point we have:

connection.setRequestProperty("Authorization", "Basic " + authBase64);

Since connection I took as an example an implementation with class HttpURLConnection and authBase64 is the username and password in Base 64 like this: usuario:senha . Example:

String authBase64 = Base64.encodeToString("paulo:senha".getBytes(), Base64.DEFAULT);

It's basically one of the ways you'd have to add one more step of access security to your API .

I hope I have helped.

    
17.10.2014 / 19:57