I have an android application that requires a connection with PHP pages in order to add sensitive data to a database that will affect the application. one can simply find the url where the data is sent to and manipulate it.
I thought about creating a registration based on IMEI, but still able to manipulate it for malicious purposes.
I have also checked OAuth, I didn’t really understand how it works and if it can help in my condition.
What can I do to fully secure my application?
Thanks in advance!
EDIT:
By the way, what I am mostly trying to achieve here is to make sure the requests are being sent from an Android and not from any other device.
There will never be a sure-fire way to be 100% sure of the sender’s identity. The basic principle is “never trust the client”; you have to assume that any message coming from outside could be forged. Generally speaking, your application should be able to accept any kind of request without malfunctioning, validate the data, and reject anything that’s out of order. Eventually, that can go as far as blocking senders that have been trying to send manipulated data.
Trying to make sure of the sender instead of securing the receiving server is not a good practice, and will always leave you vulnerable.
The more fruitful question to ask would be, is there no way have your app validate the incoming data automatically, as opposed to personally by you as you say in your comment? Maybe the community can help you with that aspect if you provide some more detail about what your app is doing.