From my android app, I am connecting to MongoDB
through mLab
and seeking some clarifications.
As per mlab documentation it is mentioned to use MongoDB Driver
for better security and performance instead of using mLab Data API
.
But Is it a good practice to connect to MongoDB directly from Android app using drivers. Which is the better way to connect wit the below?
- Mongo DB Drivers
- mLab Data API and consume it through Anroid App (this API provides only basic functionality)
- Create a Web API and consume it through Android App
Also any other suggestions apart from this?
5 Answers
Answers 1
From the options that are suggested in the question, I believe the 3rd option is the only reasonable one. Discussion below:
- Mongo DB Drivers
Using the mongoDB driver in Android isn't a great idea for several reasons.
According to this StackOverflow answer, the driver isn't compatible with Android out of the box. There is someone that has forked the project on Github and made it compatible with Android, but the project hasn't been updated for over a year.
On a higher level, a database driver isn't a good way to connect to a database over a network you don't have any control over, especially from a mobile device.
It will also be harder (impossible?) to secure the database contents. Every app will have access to all the database. This might be ok if the database doesn't store any private data. Another big security risk is that you app would contain the necessary credentials to connect directly to the database, which could easily be obtained.
Also, this solution would make the Android app dependent on the database internals. Having an API would add flexibility and protect the app.
This is not a complete list, plenty of other reasons not to use a database driver in a mobile app may apply, also depending on what kind of app you are building.
- mLab Data API
I am not very familiar with mLab's Data API. From what I have gathered by reading their documentation it looks like it is just a simple API in case the mongo DB driver can't be used for some reason.
In this case, most of the issues from using the mongoDB driver also apply. The app you distribute will have to contain your API key, and their documentation states:
Your API key will give full access to all data within the databases belonging to your mLab account. If you distribute it to untrusted individuals, they can gain access to your account and your data.
Using this method would tightly couple your app and your database, and would fail to give adequate protection to the data.
- Create a Web API and consume it through Android App
A custom API is the way most apps solve this kind of situation. MongoDB's documentation has several references of existing frameworks to interact with a mongoDB database through HTTP. It is recommendable to use such a framework for robustness, security, and community support.
Developing a custom API will give you a solution better adapted to your application's needs, while retaining a greater degree of flexibility than the other options. It will require some work on the backend side, but it will be able to offer authentication and authorization, which are key to protecting the database and its contents.
If other clients (iOs/web/desktop apps, other servers...) that will use the same database are planned in the future, designing your API will also have many advantages. Developing new clients will be much easier. In this case, the effort spent on making a good API will have been a good investment.
Extra option
Stitch (also cited in another answer) looks like a good solution, unless it never comes out of beta. A lot comes out of the box and it allows some degree of customization and flexibility. Using stitch may help reduce the workload for the backend.
Hope this helps!
Answers 2
I definitely strongly recommend to provide your own Web API / restful API. The benefits are huge. I recommend making your android app completely mongodb agnostic. Behind your own API, you do what you like, you might want to be able to consider moving to another data store solution in the future. You make your application easier to test / mock. What if your mongodb is dead? How do you cache, optimise, error handle, ... As a matter of fact, you will want to implement plenty of your logic onto a server, and not necessarily have all your logic sitting on your android app. How else will you build an iPhone app and then later a web app? There are so many reasons / advantages to not go directly to mongodb.
This question and feedback will give you more advice and details on why to consider a rest API rather than accessing mongodb directly: https://softwareengineering.stackexchange.com/questions/277701/why-do-people-do-rest-apis-instead-of-dbals
As to considering Rest, Crud, or web, I recommend you read the advice given here: What is the advantage of using REST instead of non-REST HTTP?. This will give you information on possibly starting with a Crud API, Vs Rest. I feel that might become your next question to ask.
Answers 3
The simple answer is a BIG NO. You shouldn't not connect to MongoDB or any database which would need data inserts. Consider the following points
- You may store data for multiple users of your app, how do you stop one user from accessing database locally and making a mess of it?
- You will store data for other users also, which should be securing. Giving location and API key to your DB location exposes the data to everyone and you loose any kind of control
- Even if the DB access is read-only based on let's assume some scenario where you have a read-only reference app, still exposing the location of your DB server is a high risk. A hacker may be able to break into the DB and change the complete DB after getting a write access. The DB location should never be exposed
- Not having a API means you will need code every possible logic in each of your App. If you maintain a iOS in future and android too, then you have a problem with writing logic in both and keep both of them updated on a user's phone. This again is a BIG NO, as you need to force user to update app for something which could have been easily done on the server side
In the end it shouldn't matter whether drivers are available for your to connect to MongoDB or any other for that sake, this is not the way you design apps. Go design a secured API for your users, instead of exposing them to risk using such bad practices.
PS: If you are building a app that you only will use, you can then look at using it. And then why use MongoDB? Just use SQLite and keep all the data with the app itself
Answers 4
try stitch . it's still in beta and currently you can use it only on atlas but in some days you can use it locally also.Please go through the link https://www.mongodb.com/cloud/stitch
Answers 5
Connecting to your DB instance from mobile app is BIG NO, Its Anyone can reverse engineer your app & your DB instance is open for attacks, data breach, It's Scary!!
Write a simple CRUD web service in the language of your choice, and use them in your app to access DB, Do add some auth logic to your service.
There are plenty of web service frameworks which will do the work for you.
No dobut, Option 3 is THE Way To GO...
0 comments:
Post a Comment