Home » Php » java – Identify whether HTTP requests from Android App or not? and then respond appropriately

java – Identify whether HTTP requests from Android App or not? and then respond appropriately

Posted by: admin July 12, 2020 Leave a comment


My Android App has an App Widget associated with it which is updated every 10 minutes on an Android Device. These updates send HTTP requests for data to the servers and parse the server response and updates the App as required.

As of now if you ping that URL from the browsers on your laptop or PC the server will respond and update whatever is required in the database on the server.

What I want to do is when the HTTP requests are received at the server, I want to identify if the request came from my Android App from an Android device and then respond with the data. I would like to change the code in the PHPs on the server in a way that they would display or redirect to some page if the HTTP request came from a browser or anything else except for my Android App.

Typical HTTP requests from the Apps are like http://example.com/abc.php?usera=abc&datab=xyz

I don’t want to respond to this URL in the same way if it is coming from anywhere else except from the Android App. Is this possible? What would be a good way to achieve this..

Thanks for your help.

How to&Answers:

You can add a signature to the request and then check it on server-side.

Just take the query and add one secret word at the end, then make a MD5 of it that you can send as an header (or use as a user-agent). And on the server you do the same and check if the checksum is the same.

To make it a bit safer you can make a timestamp so the request only will be valid for a short time.

Make your query look like http://example.com/abc.php?usera=abc&datab=xyz&timestamp=123456789 where timestamp is the current time (in unix time stamp) and add this in your app:

public static String makeCheck(String url)
    URL u=new URL(url);
    MessageDigest md = MessageDigest.getInstance("MD5");
    BigInteger bn = new BigInteger(1,md.digest("A_SECRET_WORD".getBytes()));
    return bn.toString(16);

And when you need to add the header use something like:

request.addHeader("X-CHECKSUM", makeCheck(url) );

Then on your server you can use:

    // Wrong checksum


if ( $_GET['timestamp']>(time()+$timediff) || $_GET['timestamp']<(time()-$timediff) ) {
    // Bad timestamp

Remember to be a bit slack on the timestamp since your servers clock and the phones clock can be off sync a bit.


The typical way of doing this is using the User-Agent header in the HTTP request. if the request comes from the standard browser, it will uniquely identify both the hardware and software. For example a Nexus One running Froyo will have the following User-Agent:

Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

However, if you’re using HttpClient to make requests from your app, you can customise the User-Agent header that HttpClient uses as demonstrated in this answer: Android HTTP User Agent.

On the server-side you can use a regex match on the user-Agent header to determine whether a request has originated from your Android app, and send the appropriate response.


When you create the HttpClient in android you can set the following

 client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "MY Android device identifier");

This set the USER_AGENT for each http request send to your server. On your server you can retrieve the USER_AGENT to determine that the request came from your android device


If the actual request is the same (for instance, you are not able to add a POST or GET variable to actively identify your request), you’d have to rely on other things, like user-agent.

While you can set them according to your wishes in your app (also see @mark_bakker nd @mark_allison ‘s answers), you should be aware that there are ways to mess with this, so don’t use it for stuff you really don’t want other users to see.

  • An android user could in theory change the user_agent string between the request leaving your app and the request leaving his/her network. So don’t use it for “Android users didn’t pay, so should not see this/that info” applications
  • The other way around, non-android users can change their user-agent too obviously, so if you have content only your paying android-users should see, they might fake the string.

In the end it might be better to just change your request if you can: you want a different reply, you should do a different request is my opinion.