Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need to make requests to a web service via android application.
The webservice can be designed as needed.
It seems to me that no matter which approach I will choose, someone who wants to hack it, will just need to reverse engineer My android appliaction code (which isn`t very hard) and
could see exactly what I do, wheather I encrypt the data, use hardcoded Password or any other solution for that matter.
Is there a solution which will be 100% secure?
There is no 100% secure, all you can do is make things harder for your attacker. Things you can consider:
Encryption – Passing your requests over encrypted channels will stop
basic sniffing (this can be countered with MITM)
Obfuscation – Make your intent harder to understand when they do decompile your app
The second part to this is mitigation – the ability to notice when your app has been compromised and deal with it. A typical way of handling this is to assign a unique token to each client on first run then pass this as an argument on each call to your service.
This way if somebody decompiles your app and figures out how to call your service you can at least start monitoring where the abusive requests are coming from and also monitor for suspicious behaviour (i.e. multiple requests from the same key in a short period across different IP addresses). From there you can start blocking keys.