All geek questions in one place

How can I make sure that the file comes from the phone to the server without being tampered with?

I want to create an Android application that collects information and then uploads to the server, but I do not want people to be able to edit the file before sending it to the server. I can do the first part, but I can not do the second part. Can someone tell me the best way to do this? I do not mind if the user knows what is in the file, I just do not want them to edit it, and then upload the edited information to the server.

+3
source share
6 answers

You are largely unlucky, as the application is launched by the user, and the result is controlled by the user. The only way that you could take over the user's system so that he could not control would be to use trusted computing with all ethical and philosophical consequences - see, for example. Can you trust your computer? Richard Stallman. The only thing you can hope for is a secure connection between your server and user systems (SSL / TLS), but it is still a user system that you have no control over.

+6
source

The only correct answer here is Zed's.

The rest of the answers are based on security through obscurity .

, (= ), /-/ .

: (, -) (DVD, BluRay, ..), .

, , , .

+4

:

, , ZIP , , :

Zip Java

, , ...

, . , , , , , .

, ( , root-, ).

, HTTP-, "" ( , ) , , ( root, AFAIK), , , :)
, .

+1

, :

  • , .
  • , SSL .
  • , . .

, , .

+1

Android, .

, , , - .

+1

:

  • Check the signature on the server, check if the certificate is a certificate that is allowed.

This will help a little, but you will still have the private key associated with your application ... someone can find it and then sign the modified files ...

Another idea: can you calculate the data or generate it by the user? If he calculated, why not just calculate the data and send it to the server (via SSL) without even writing it to the file system?

+1
source

Source: https://habr.com/ru/post/1795230/

More articles:


All Articles