Home » Php » How to secure PHP JSON api endpoint interacting with an android app?

How to secure PHP JSON api endpoint interacting with an android app?

Posted by: admin February 25, 2020 Leave a comment


If an app is interacting with server api over https using post method ( JSON objects ), then there is a danger of api endpoint getting exposed and anyone accessing the api.
Is there a way to make sure that api is called only from the designated app.

I did some research on the web and came to know of:

a. manual credential checking using POST method

b. using json web tokens ( jwt)

However my question is: both of these methods a) & b) would require some kind of username/passwd passing from client app to server ( everytime in a. and only once in b.). Now this username/passwd would need to be hardcoded in apk and it can be easily obtained by anyone by decompiling it. So then how are these methods secure?

How to&Answers:

I think you’re misunderstanding how json web tokens or bearer tokens work. Why would a username and password ever need to be hardcoded? You’d supply the user with an interface that accepts a username and password.

In option a, you’d store these locally after the user supplied their credentials and clear it when they exit the application or log out. This would not be recommended as that’s what tokens can be used for. Many frameworks already offer support for JWT out of the box.

If using a token, the user still supplies their username and password to authenticate, the server will return a valid authorization token. From that point forward the auth token is passed with each request.


I would somehow use TLS security … with digital certificates … to cryptographically secure the network access to the portal. The app would contain the necessary public certificate, possibly obfuscated, which the server could check to make sure that the access is legitimate. Now, no one can intercept the communications, and they can’t spoof it without somehow first extracting the certificate information from the app, which is probably unlikely. Knowing that the supplicant does possess a copy of the necessary public key should be sufficient authentication.

Although we don’t usually employ it when we use TLS to get to your friendly neighborhood https web-site, modules like mod_ssl do provide a complete TLS implementation including the ability to require and to verify a client-side security certificate, without possession of which the connection attempt will be refused. This might be an ideal situation for that.