Home/ Questions/Q 8017365
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T20:49:23+00:00

I’m sending data from an Android app to a php script which recieves the

  • 0

I’m sending data from an Android app to a php script which recieves the information and procces it, I’ve found a security issue: if someone discovered the url (for example: mydomain.com/recievedata.php), anyone would be able to send data to my system.

What’s the ideal method to ensure the client sending the data is the app?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    One easy way that I’ve seen some companies do is to include a secret key. For example, you might have a secret=3CH6knCsYmvA2va8GrHk4mf3JqmUctCM parameter to your POST data. Then all you need at the top of receivedata.php is

    if($_POST['secret'] != '3CH6knCsYmvA2va8GrHk4mf3JqmUctCM') {
    header('HTTP/1.1 403 Forbidden');
    error_log("ERROR: wrong secret: " . $_POST['secret']);
    exit("Access denied");
}

    You can easily generate the random string from random.org.

    Of course, this is not the most secure method and that string might well be stored in plaintext in the APK (don’t use this to send launch codes!), but it’s easy and good enough to keep most people out. This might be adequate for, say, sending player scores for a game.

    • 0