Home/ Questions/Q 6981303
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T18:08:22+00:00

I have client/server data passing all working correctly. Text, Images, etc. My users create

  • 0

I have client/server data passing all working correctly. Text, Images, etc. My users create blog-type posts on their android device, and upload to my server.. All is done using HTTP Multipart and Input/Output Streams. My issue is – How do I know the client is actually my app and not some script/other hacker app?

I want to avoid abuse scenarios.

  1. Malicious user A creates a PC script that sends the appropriate form data to my server and is able to spam the server, creating 1000s of malicious posts.
  2. Malicious user B creates a simple Android App that sends the appropriate form data to my server and he is able to spam the server.
  3. Malicious user C signs up to my service, Has a valid account and password, and he spams the server using a PC script or Android App.

One idea I have is to force a wait period server side on frequent posts to prevent spam..

But beyond that, how can I check that the person sending data to my server is

  • An android device and
  • Is running my App to send form data and not another.

I want to avoid SSL as I don’t want to register with Verisign, TRUST and go through all of that..

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I finally got it all working, server and client two-way ssl authentication.

    I used the instructions here to setup my own cert authority (ca) http://www.garex.net/apache/

    I followed the commands there to generate my own ca, server and client files..

    The big “GOTCHA” was that in the “create client certificate” section, the garex.net link uses a 1024 size client key. As it turns out, this was throwing the exception java.io.IOException: Wrong version of key store

    To get around the above exception, I had to use only 512 sized keys.. This is done by NOT including the “1024” parameter to the openssl genrsa genkey command..

    Finally I want to add a link to a tool I ended up using instead of Portecle.. I found the keytool gui program here of great help and easier to use than the portecle one – http://www.lazgosoftware.com/kse/index.html

    This issue was a bit of a pain in the butt so I will keep an eye on this thread.. Feel free to reply if you run into any roadblocks..

    • 0