On Friday, November 23, 2012 8:47:38 AM UTC-6, Alexander Hoffmann wrote
>
> The second question is: Should I connect directly to the database with the
> android application or should a create webservices on the server which save
> the data in the database and which I call from the Android application.
>
My database lecturer at university would have said: never ever expose the
raw database, not even to the server application. He was a firm believer in
using only stored procedures for any database interaction in order to:
- Separate concerns (separate data layer from business logic)
- Preserve data consistency (data layer itself makes sure that the data
and any changes to it "make sense". The business logic is not allowed to
mess around with it)
- Only allow as much data access / manipulation as necessary
- Basically set up a database role with read-only rights for the
business logic. That role is also allowed to call these stored procedures
If you allow your Android clients direct access to your database you must
do a hell of a good job of making sure that no misuse is possible:
- SQL injection attacks (could even execute arbitrary code on your
server and hijack it)
- Access to private server-data
- Access to other users' private data
- Vandalism, data corruption
That's really a tough one to cope with properly so do not go for that
option.
To keep things secure and reasonable create a web service that offers a
clean, authenticated, session based interface to your Android client app.
Do not allow direct database access at all.
You do not really need to implement stored procedures even though they can
be really elegant. But make sure for the very least that you use prepared
statements in your SQL queries in order to invoid injection attacks.
If you need password based user authentication then please do not store
plain text passwords. Store "hashed and salted" versions of the passwords
using individual random salts per password. In case there is a data breach
you increase the chances of making the stolen password list useless for an
attacker.
You can find lots of material online for all these buzz words I mentioned.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
