1

I'm trying to create a security mechanism that only allows my application to upload files to my FTP (username and password login is not enough). To achieve this I was thinking of creating a key that is built in to the app, and before any file can be uploaded to the FTP this key has to be read and verified. If it's correct, then the file can be uploaded.

Is this something that is possible to do, and would this approach be preferred? Does anyone have any pointers on how to do this?

(note: i'm not asking for any code, just some pointers on where to start, since my searches aren't getting my anywhere)

Thanks.

Improve this question
10
  • 1
    Why not just restrict the FTP server to your IP address? Commented Aug 10, 2012 at 13:05
  • Using a special Handshake system would be good. Hard-coding keys into your app is not a good idea. I myself am trying to find a way to secure my proprietary server from being accessed by code copied from my open source client. Commented Aug 10, 2012 at 13:05
  • 1
    @ChristerWilliamPersson OK, that won't work then. Do you mean FTP or HTTP? You can't run PHP on android, and running a PHP driven FTP server sounds like a bad plan. Implementing the app key/handshake system is a lot easier over HTTP than it would be over FTP Commented Aug 10, 2012 at 13:16
  • 1
    Yes, I'm thinking an HTTP POST with a file upload, and a couple of extra form fields can be used to implement some kind of app key setup. Before we go down that road though, you need to think about exactly what this extra auth token system will do, how it will work, how it can be validated on the server side etc. Do you want a hard-coded app key for every instance of your application? Hang on a second this is triggering a memory of another question I answered quite recently, let me dig it out... Commented Aug 10, 2012 at 13:41
  • 1
    Take a look here: stackoverflow.com/questions/11467098/… Commented Aug 10, 2012 at 13:41

2 Answers 2

Reset to default
1

if you are worried about unsecured wi-fi, etc, you can either use SFTP or tunneling over SSH e.g. with connectbot the use of public key crypto will will make sniffing harder.

if this is too much work for the intended userbase, you could generate one time passes (like google authenticator) and upload your file with a POST form or something.

if you are afraid of the key itself getting stolen (compromised device), there is little you can do..

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There's no point in reproducing an answer from another question verbatim, so I'll just post this link to it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.