There is some kind of mobile application that sends a GET request to the server, where it in turn is processed by PHP, communicates with the database and returns the result to Json.

What is PHP, XSS injection, I understand, but how to implement protection against bots , so that, for example, adding unnecessary information to the database, and in large volumes? Is it really worth worrying about bots if there is no web interface for PHP?

  • Maybe useful: stackoverflow.com/q/455204/182771 - Dmitriy Simushev
  • If there is no web interface, then where do you send the request? Usually they use captcha against bots. - Darth
  • @Darth, web-interface is not always needed. It is possible to use a certain API (machine) on the server with the application. - Dmitriy Simushev
  • And api is not an interface? in my letter i just hides this word behind itself - Darth

3 answers 3

It was necessary to think about this in advance and, for example, introduce a system of tokens for authentication. That is, each application passes authorization, receives an access key and sends it with each request. Without authentication, your server is open to everyone, and if you watch and analyze the logs of requests to the server, you will see a lot of interesting things and not only on port 80.

If your application does not work with finance, it is not so bad. Nowadays, DDoS attacks from which in my opinion a small project is more difficult to defend are used more often.

Do not forget about HTTPS when developing mobile applications.

UPD

You can implement, for example, via a static key, but for this you need to use the HTTPS protocol so that nobody would get it with a simple traffic sniffer.

But a dynamic token is better, for example, obtained when opening an application. Or issue for a while and at the end of the validity period passes re-authorization. The token can be passed in the headers, and you can also in the request parameters.

  • It was necessary to think about this in advance and, for example, introduce a system of tokens for authentication - How is this implemented? Those. The application has a key that is issued by the server. and this key is sent each time in a GET request? - Stas P.
  • @StasP. updated the answer - korytoff

Enter statistics. For example, where your application is downloading something you add un to the database. then when it is launched, it is tapped into a php script somewhere. in php - make a check if there is an SP in the database that downloaded the application. If there is no ip, then it is either a bot, or someone clumsily climbs to you for these, for such you can add a black list of ips. For the purity of the statistics of bots, it is better to filter;

  • one
    Super, and if I have a dynamic ip, then my fucking life will start with such an application. brilliant!) - Alexey Shimansky
  • Well, enter the black and white sheets of the ip 127.0. *. * masks or the key in the application - Null
  1. Creating a bot without documentation of your API is very difficult.
  2. If you streamline the channel of your mobile application with the server, it is not always possible to get the full API

In such cases I did the following.

  1. In the server and in the application did "stitched encryption." That is, all data between the application and the server is encrypted from both sides. - It helps with sniffering protection
  2. You can attach your encryption algorithm inside the SSL (https) channel. - It will protect you from reading data from the provider
  3. With each request to the server, if your data goes sequentially, change the session key (token) so that your requests cannot be duplicated. - Usually, in order to create interference, they make a copy of the packet sent from the mobile to the server and this packet is sent several times. So the server will work on the empty data. If you frequently change the key (token), then the second request will not be processed.
  4. Use EDS or hashing or CRC (EDS - Electronic digital signature. This is done so that no one changes the integrity of the packet (request). A hash value is created from the data and added to the end of the request. The server checks this hash, also by hashing the sent data)
  • When using ssl, point 1 does not make sense. altogether. - Dmitriy Simushev
  • When using ssl, paragraph 4 does not make sense - Dmitriy Simushev
  • @DmitriySimushev It has real meaning, since there are already a lot of methods, replacing ssl certificates. for example habrahabr.ru/sandbox/88671 habrahabr.ru/sandbox/88717 - Saidolim
  • one
    And you can also poke "add an exception" in the browser every time a window about a crooked certificate pops up. But this does not mean that ssl suddenly stopped working. If the developer has control over both the server and the mobile application, then there is no point in talking about the potential possibility of certificate substitution. In the application, you can always check that the certificate is using the server and stop interacting with any suspicions - Dmitriy Simushev
  • @DmitriySimushev you are right that if there is ssl, then 1 and 4 you can not do, but now I do not trust ssl 100%, since he will also be taken away, securitylab.ru/analytics/365717.php , it’s better to be protected by yourself - Saidolim