There is a program in which you can enter and write your own review. There is a person coordinating peeped links and now sends his feedback through his program. How can you protect a program and not let it write your feedback if we know:

  1. Any code can be decompiled and spied a line.
  2. You can download links from Charles, for example.
  3. You can give users a token when they login, but what's the point if that person also gets access to the login link and will receive this token in his program.
  4. You can compare SHA1 application signatures, but what's the point if he finds out the signature of the apk and will insert it into a string.

How to solve this question, how not to give an attacker access to your API?

  • By adding a url call from c ++, you absolutely will not change anything. On the same router, you can see what where and when. Here you need to go the other way - confirmation of a review, or a review only authorized, etc. - lampa

2 answers 2

All in a bunch -> different huge topics Authentication, Encryption, Spam, Reverse Engineering ....

Access to your API is decided by Authentication, by registering, how you make security there during the registration stages is another matter. But this is a standard practice that is used in many APIs, I don’t think that something new needs to be invented.

Those are your answer, this is the 3rd item, he received a token and will walk on it, because he passed you Registration, he is a regular user of your API and you identify him, but only if he can then write spam bot and send feedback, or somehow DOSit you, it is a gap in the API itself, Servaki and so on, you need to look.

  • The bottom line is: How to hide links from him, so that he would not see where the data is being sent, maybe add them to C ++ code and query from java? Because I see it does not decompile C ++. How to make so that a person does not see the data from the URL, use https? - Nikolay Kolomiytsev
  • in this respect, well, here you are not 100% protected. You can pickle your link on which you go. But ... the whole point is lost when I have a friend in the service provider, well, the Internet provider, as usual, well, I can see. Therefore, I answered and wrote that the question is very general, it is difficult to give an answer, even the goal that you are following is incomprehensible. If you take it away in native, it will complicate the search, but for those who do it, this is a classic. will not be difficult to trace the sequence and pull out the exile - Shwarz Andrei
  • So that Java is poorly decompiled, you need to configure the obfuscator, there were several topics about this. ProGuard in androyd does this, there are third-party ones that work well, I don’t remember the name now. It seems that even in GoogleConsole api appeared on encryption, I did not try it, so I won’t lie, look at the Internet in an interesting way Yes, this is a huge topic ... I don’t even know how to help you)) - Shwarz Andrei

can not be 100% protected.
but you can make life difficult so that hacking does not cost the ultimate goal. To bypass the MiTM attack, you can make https + pinning certificates.