I'm developing an Android app and using Ajax communication during startup. Hit the API on the server and retrieve the JSON output from the API. Trying to process information.
At this time, the API placed on the server should not be accessed externally.
I'm applying Basic authentication, but how do I get the ID and password required for this authentication?
Should I give it to the app?
I heard that Android is easy to decode and see the source, so
Direct writing of ID and password is out of the question, but
I don't know how to communicate safely...
Also, this application does not log in at all.
Communication must also be done behind the scenes, which is completely invisible.
Therefore, the main premise is not to let users do anything.
---add ---
The development environment uses Monaca and is an application using HTML/Javascript.
The API will be created in PHP, and WordPress information will be retrieved and processed back.
"At this point, the goal of ""safety"" is to improve it as much as possible."
The reason is that the API placed on the server this time does not use any input.
It is simple enough to process the results of a specific selection and return them with JSON.
Furthermore, we do not handle any personal or confidential information.
Personally, I don't think this is a big problem right now, but
As long as the API is created, I want to make it as safe as possible for the future.
That's what I thought.
As one of the points of view, I think it is important to include a server-side response to block suspicious communication instead of keeping the contents of communication confidential.
I'm actually running a web application on business, but if you look at the logs, you'll see a lot of suspicious communications. As you know, if you unzip and decode .apk, you'll see the source, and if you obfuscate it with the program, you won't be able to change the string.
I think it would be good to consider the server's efforts such as playing unnatural mass requests from the same IP, returning errors if there is an unexpected API hit, and dealing with SQL injection.
Basic authentication is simple security in the first place.You can't maintain that high level of security.
As long as you keep your ID and password inside the app, you can view them by turning them into root.
Consider OAuth authentication.
I think the following is helpful.
Basic Authentication and OAuth-Qiita
Also, since we are going to issue a SELECT statement, we recommend API design to prevent SQL injection.
The key to SQL injection is not to assemble SQL statements
For information on Monaca encryption, see
Technical Information: Encrypt the Monaca app code.Try the Cordova crypto file plugin for your reference.
(In addition, if WP-API is used properly for Basic authentication and WordPress data with OAuth, the possibility of SQL injection may be reduced.)
Regardless of authentication, TLS communication is essential.Still, it may be possible to force a proxy to intercept it, and if you can't combine the ciphers, it would be …………………………………
© 2024 OneMinuteCode. All rights reserved.