Im using MySQL with PDO PHP scripts to maintain a user database and a highscore database.
When a user obtains a new highscore in the Android app, I send it to the server:
https://domain.com/phpscript.php?user=username&newhighscore=highscore
In here username and highscore are variables. Every web browser can access this url. If anyone decompiles my app they will know where my database is located and they can fake their highscore. Obfuscation and encryption for the url is probably not an option since they can always be reversed.
Is there any way I can protect these URLS so ONLY my Android app can access these pages, and not just any browser?
If a call to
https://domain.com/phpscript.php?user=username&newhighscore=highscoreis all you need to update the highscore for a user, you are in deep sh*t.You need some sort of authentication – which is what you might mean with “ONLY my Android app can access these pages”, here are a few ideas:
On first start of you app call another script to facilitate exchange of some token. Store this token in your app and in your server-sided DB and use it as a verification token, e.g.
https://domain.com/phpscript.php?user=username&newhighscore=highscore&salt=abc&auth=xyzwith abc being a random salt and xyz something likehash(encrypt("user=username&newhighscore=highscore",key=token,iv=salt)+salt)use the phone ID as part of the authentication scheme