I’m building an Android application that needs to communicate with a MySQL database. The application isn’t meant to be published, and I want the application to be the only thing allowed to interface with the web service I’ll create for DB access.
I’ve been thinking how I can secure the system, and this is the idea I’ve come up with. I’d appreciate any feedback or other ideas. Surely there is a method built into Android that I am unaware of.
My thought is to give the web service a GUID. Each time a call is made to one of it’s public methods, the web service matches its GUID with the GUID given to it by the Android application. If the GUIDs do not match, the web service refuses access. In short, my system has a 128-bit password.
If you trust the individual to administrative your database then everything should be fine. The most important change is that all of this communication must be done over HTTPS. If a hacker sees this traffic your database will get hacked.
I would still use a username/password combo to access the system. I recommend using the existing mysql.users table with the MySQL
password()function. This GUID sounds identical to a cookie, and I would seriously consider using an existing session handling system such as php’ssession_start()instead of rolling your own. Re-inventing the wheal is bad, especially when it comes to security.