php - Check if http request comes from my android app

Question

I retrieve data from an external server for use with my android application. I would like this data to be only accessible with my app. I use a standard http connection to get the data from apache/php server in json format. I also send some params to the server to retrieve relevant data. Now, what I'm planning to do is:

1. Send the params
2. Send something like md5("someSecretPhrase"+params).
3. Check if the secret phrase is correct on the server side.

Now, the question is - is it a safe approach regarding the reverse engineering? For now I can think of no other possibility to get this data. But if someone is able to decompile my apk, he will be also able to retrieve this "someSecretPhrase" (rather hard to do on the server side) and then access the server, isn't he? Is it a real threat? Is there any other possibility to authenticate my app by the server?

I looked at the forums eg. Identify whether HTTP requests from Android App or not? and then respond appropriately, but they don't explain the decompilation problem.

Answer 1

One of basic rules of security is: you don't trust client data. Ever.

You should consider your app decompiled, all "secret" keys known to attacker, etc.

You can, however, hinder attacker's attempts to forge your requests. Sending (and verifying) checksum of your request is one of methods (your idea of MD5(secret_key + params)).

You could also switch to a binary encrypted protocol. But this requires MUCH more work and quite a different architecture of server.