0

When developing a website, you typically validate on both the client and server-side (because a user can just inspect the page and change around the html/javascript).

But when developing an android app, is it at all possible for a user to manipulate the front-end code?

I feel like the answer to this is no since Java isn't an interpreted language like javascript (meaning the user can't see the source code to manipulate it). But at the same time, Java can be decompiled.

I want to be 100% sure that I can do all the validation on the client-side instead of having some duplicate checks on the server-side.

Improve this question
5
  • 3
    a/ yes, you can trust that you front-end validation will be properly executed in the android app but b/ no, you can't do the validation only on the client side because 1/ you may some day write another client that does not perform the same validation and 2/ you may face request injections not coming from your app, but directly forged. Commented Jan 22, 2015 at 17:59
  • 2
    moreover, you should develop the app and the server separately and test them independently (meaning test the server against various type of wrong inputs as well) Commented Jan 22, 2015 at 18:01
  • @njzk I totally didn't consider getting requests from outside the app. Wow that's an eye opener. Looks like I do need a few duplicate checks on both sides then. Thank you! Commented Jan 22, 2015 at 18:13
  • Just to add to this, I realized for some parts of an app, it makes sense to put all the validation on the server side because if you do some checks on the client-side, duplicate them on the server-side, but later decide you want to change the "rules" for your validation, then people will need to update their devices with the new version of the app since the client-side code will be out of date. But making changes to the server side doesn't always require an update to the client-side. Commented Jan 22, 2015 at 21:56
  • but client side validation also gives a better ux (no need to wait to know that this field was in fact mandatory) Commented Jan 22, 2015 at 21:58

1 Answer 1

Reset to default
1

I would recommend validation upon input processing in an android application, generally in the form button's onClick function. 

    emailEditText = (EditText) findViewById(R.id.editText_email);
    passEditText = (EditText) findViewById(R.id.editText_password);

    findViewById(R.id.btn_signup).setOnClickListener(new OnClickListener() {

        @Override
        public void onClick(View arg0) {

            final String email = emailEditText.getText().toString();
            if (!isValidEmail(email)) {
                emailEditText.setError("Invalid Email");
            }

            final String pass = passEditText.getText().toString();
            if (!isValidPassword(pass)) {
                passEditText.setError("Invalid Password");
            }

        }
    });
}

// validating email id
private boolean isValidEmail(String email) {
    String EMAIL_PATTERN = "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@"
            + "[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$";

    Pattern pattern = Pattern.compile(EMAIL_PATTERN);
    Matcher matcher = pattern.matcher(email);
    return matcher.matches();
}

// validating password with retype password
private boolean isValidPassword(String pass) {
    if (pass != null && pass.length() > 6) {
        return true;
    }
    return false;
}

I have found regular expressions to be the best way to do this.

Front end code cannot be manipulated in android, as each application is compiled into an apk (off the device) then installed on the device and run. It may however be possible to modify web traffic going in and out the device, but that requires a rooted device, but simple security strategies like using https: and well made json is a way to help prevent this.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

So it's not possible for a user to decompile the app and reinstall it on their device? Also, I should have been more specific. I just want to know if validation should be done on client-side and server-side. I wasn't asking for speicifc source code of where to do it in the client-side. I'll edit my question to be more clear.
When I build in Eclipse it uses ProGuard to obfuscate the code. I suppose on a rooted device it is possible for the user to look at your apk and somehow decompile the .class files into Java code, but thanks to ProGuard's byte code obfuscation, the code will be meaningless. HTH.
Of course validation should be done on both client-side and server side.... Is that all you were asking?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.