Securing php api to use in android application

You can choose you Authentication for PHP here:

http://pear.php.net/packages.php?catpid=1&catname=Authentication

I think that Basic or Digest Auth (+ https:// SSL with self signed certificate) will be good choose for you Rest-Service (PHP RESTful JSON API).

For Android application I think the best choose for RestClient library is:

http://square.github.io/retrofit/

(I recommend you to keep all source code in one Language only -Java. You can easy create Java Rest Service and add Spring Security Authentication)


The only method to secure your api is making your android request to be unique .Collect more specific data from your app.

1 - Get Android Unique ID -

String UniqueID=Secure.getString(getActivity().getContentResolver(),Secure.ANDROID_ID);

And pass it through your api Eg .

http://192.168.100.9:8000/MobileApp/GET_DATA.php?yourvalue=something&id=UniqueID

In your php, deny access if there is no Android Unique ID(should change with complex variable name).Eg :

if($_REQUEST['UniqueID']=="" || strlen($_REQUEST['UniqueID'])<9){ //do something about abuse }else{ //your code }

2 - Create your own random variable in Android App

Create your own variable to decide to make sure the request comes from your app Eg:

Random r = new Random();
int i1 = r.nextInt(9999 - 1000) + 1000;

And also pass this value via your request and validate when it comes to php .

if($_REQUEST['r']>=1000 && $_REQUEST['r']<=9999){//}

Deny request if not passing or wrong value.

3 - Make sure requests come from Android

I want to recommend to use free best php library http://mobiledetect.net/ Check whether it is from android and write deny function on invalid abuses.

4 - Validate request via User-Agent string in PHP

$agent = $_SERVER['HTTP_USER_AGENT'];
$agent=strtolower($agent);

if (strpos($agent, 'android') !== false) {
$os = 'Android';
}

And deny if not from android in php.

5 - Record the attackers

You need to track if someone is breaking one of your above securities. Currently I am using ip-api.com to track attackers.

you need to write deny function with mysql insert. according to ip-api, you will get

1- Attackers' ip
2- Attackers' geolocation
3- Attackers' ISP

So you can deny them statically.

It is about to safe to use your api from android and almost denied pc requests. But three is a chance to break your app with reverse engineering like dex2jar or ShowJava and grab your simple data structure. As a programmer, above functions and codes are very easy for them and they will get in with fake data inputs.

So you should not write a program with static values, such important link "http://192.168.100.9:8000/MobileApp/GET_DATA.php" as hard coded as in your app. You should split data,simple encrypt and get all of your main urls dynamically as above secured php/mysql api method.

If you covered just like 2 step dynamic system, there is very very few chances to break in your system.
I've one important left to say, if you are using for closed group of users , you should use request->approve system for each user for first time app registration by using their unique ID and easily deny access from the others.


To secure your APIs, you need a mechanism to detect that the request to the api is made from a trusted source. Many frameworks come with this feature by default.

However you can just use JSON Web Tokens (jwt) with PHP to add authorization to your api requests

Learn about token based authentication from this page.

Check out this simple tutorial on how to secure your PHP api endpoints with JWT.

If you need even more security you might want to add OAuth provider service to your API. check out this post on how to write OAuth provider in PHP