I have an app, that on the first start generates a random user id and password to set up an account on my server and store them in the shared preferences.
I am looking for a way to write this data into the cloud so that if the user installs the app on a second device it will retrieve this account data and use them on the second device as well.
On iOS, this is a trivial task but I am still trying to figure out how to achieve this on Android. I tried an approach with Firestore, but it seems to be able to write to the Firebase database, the user has to log in with Firebase. I assumed being logged in to a Google Account on the device would do this, but I still get invalid permissions back when writing data.
I do not want to force the user to a separate login.
Any ideas on how to approach this task? Is it possible on Android at all?
I have an app, that on first start generates a random user ID and password to set up an account on my server and store them in the shared preferences.
If you have your own server where you authenticate the users, and you also want to authenticate to Firebase, then I recommend you check:
Custom Authentication System
I am looking for a way to write this data into the cloud so that if the user installs the app on a second device it will retrieve this account data and use them on the second device as well.
You just should never simply store the credentials in Firestore. Storing passwords in cleartext is one of the worst security risks you can inflict on your users. You should either use authentication with your custom system or use one of the existing providers, like Google, Facebook, etc.
I tried an approach with Firestore, but it seems to be able to write to the database, the user has to log in with Firebase.
It's recommended to authenticate the user in Firebase before reading/writing data from/to Firestore because you can secure your database using Firestore Security Rules.
P.S. Don't store data in ShartedPreferences because this type of data is stored locally and doesn't persist application uninstalls.
Related
We have apps developed for both Android and iOS which interacts with devices via BLE and uses a Spring boot backend server in which they have registered and logged in. They can log in with the same account on either Android or iOS (obviously). During the interaction we can get codes that the user may need in the future. To handle that we currently do this:
Android: Encourage the user to write the code down. Use the users login information (username/password) to generate a symmetric key which is used to encrypt data which is then sent to and stored in our server. That way, only the user can retrieve it and decrypt it. Drawbacks would be the way we generate the key in itself and the obvious fact that a user that has forgotten password/changed password cannot decrypt the data anymore.
iOS: Encourage the user to write the code down. Then store it in KeyChain with the kSecAttrSynchronizable attribute so it can sync to iCloud KeyChain. That way the user should be able to get it on any other iOS device. Obvious drawback is that if the user chooses to switch to Android then the code cannot be retrieved there.
Is there anyway we can store sensitive user app data for both platforms? We could store it in our server but since we want the users to encrypt it themselves (so we can't see the content of the data) we need some unified way. There is no magic Spring boot feature to store "encrypted user data" for a specific user which only that user can retreive?
Have thought about using Google Drive and store it in the hidden app folder. But I'm guessing that wont work with an iOS app that uses the Google Drive SDK?
EDIT
Just to exemplify:
A user buys the device and connects it to its Android app. The user then changes the reset code of the device which is what would be needed if the device was ever "factory reset" (of course not factory, but cleared). When that is done we encourage the user to write this code down/remember it. Then lets say the the user loses the Android phone and buys an iPhone. He logs in to the exact same account but now might need to reset the device in order to start using it again. If that code could have been stored somehow using the account (or using the users google account or anything) then he wouldn't have to remember it.
I have been trying to implement a login screen that takes a username and password.
Once the user has logged in once I want him to have the ability to login with the device owner's fingerprint.
I was wondering what would be the correct way of handling this login.
I could encrypt the username and password and save those to shared preferences and once a fingerprint that is authorized is entered I will insert the decrypted username and password (I am looking for a solution like ios keychain).
Should I go with this approach or there is a programmatic way to get the names and passwords.
I have already used a library which verifies if the fingerprint is recognized you can see it here:
https://proandroiddev.com/5-steps-to-implement-biometric-authentication-in-android-dbeb825aeee8
https://github.com/anitaa1990/Biometric-Auth-Sample
There are many way to create an authentication app. Using SharedPreference is also a way to create such apps. But, one limit of SharedPreference is it can only storage data in limited
memory space and data is offline (data is stored in local machine and can be lost if you uninstall app). There are many online library for online authentication, if you are learning or developing a small app then I recommend you to use Firebase Authentication. It can help you create user account, authenticate user by mail, phone number,...and also link to real time database, storage on cloud and many other services (if you need). Please refer following link to get more information about firebase!
https://firebase.google.com/docs/?authuser=0
I have an app that uses SQLite to store the users' data (stats and such). The app doesn't require users to sign up or log in. I would like to add the capability for cloud syncing of data to the app, so Cloud Firestore sounds like a great fit. However I don't want to force users to sign up or log in if they don't want to use cloud syncing features.
Is there some clever way to use Firestore locally without having to log in users? That way I could convert the SQLite data to non-relational format once and have one place where the data is stored. Otherwise I'd have to maintain and update two databases - one for users who don't want to sign up/log in, and another for those that do.
Cloud Firestore doesn't require users to sign in. You can easily use Firestore without having the users sign in. I do this all the time, since data in my apps is often simply shared between all users without any sense of ownership.
However: finding a user's data in a cloud-hosted database requires that you're able to identify the user. If you already have a way to identify them, then you can continue to use that identification with Firestore.
If you don't currently have a way to identify users, I recommend looking at Firebase's anonymous authentication. This is a completely transparent, non-interactive way to add a user identification token.
I am developing an Android application using Google's Firebase for the backend. I have been running through some tutorials, and they make the user sign in with their Gmail before using the app in order to read and write from the database (correct me if I'm wrong). I don't want this to be the case for the purpose of privacy and not allowing users to read and write data, so how would I not make the users authenticate with their Gmail, and instead for all reads and writes, use a general gmail specific to the app?
If I don't manually add each gmail account to the firebase console directly as either an editor or owner, then users cannot log into the app. I have been following Google's firebase tutorials found here: https://firebase.google.com/docs/auth/android/google-signin
Thanks
What you're describing sounds like Firebase anonymous authentication. Users can use an anonymous account to read and write as if they are fully authenticated, without having to go through any login process. Then, if you want, you can later give them the option to link that account to a fully identified authenticated account from an authentication provider, such as Google.
Note that anonymous accounts don't survive application uninstall, and they can't be used by the same person across different devices. If you want the user to be able to log in and out and retain use of the data your store on their behalf, you need to use an authentication provider to verify that the person is who they say they are.
I'm suppose to develop a new option for our Android app that allows new users to sign in with their Google account. We need to retrieve basic user info (First name, Last name, Date of birth, Email, Country etc.) and store them on server. It should happen only the first time user logs in to the app so the next time all the button is doing is simple authentication to access the member's area.
Currently, our app prompt for permission using oauth2 and AccountManager and can retrieve the user info through oauth2 api. I would like to do the same thing on our server instead.
So to sum it up here is the flow I'm thinking about:
User chooses to sign in with Google
If he hasn't authorized the app yet, request permission to access his info; retrieve and store them on the server and log in. If he has already authorize the app, simply log in.
We still need a local copy of user info on his android device though so he can view his own profile.
Note: The reason I'm thinking of doing the data import process on our server is to speed up the app and save some bandwidth. but I also feel that user might want to modify his data before they get saved to the server.
I'm really confused and the oauth2 documentation doesn't help much.
I donĀ“t understand the problem. Sorry.
Just retrieve information about the customer from the OAuth api, send the information through HTTP/HTTPS post request to the server, save it there. Then save the same information in the SQLite database in phone and after first time when the app launches just check the user table in SQLite for if the customer exists.
Here is an awesome example: http://www.androidhive.info/2012/01/android-login-and-registration-with-php-mysql-and-sqlite/
In order to do this, you need to follow the documentation for Cross-Platform single sign-on and Cross-client Auth from Google. In essence, your flow should be:
Check to see if the user is authenticated (probably best as a POST to your remote system), if so, continue to your main activity. If not, show the sign on button.
Once the user clicks sign-on, connect the GoogleApiClient, retrieve the current person, save their information on the device (if needed).
Request an auth token for the user via GoogleAuthUtil.getToken.
Send the token to your web server (must be https). On your web server, retrieve the user's information from the token, and save it to the database.
Also, I suggest you use a persistent cookie store for your requests (I prefer loop4j's Android Async-HttpClient). This will allow you to save the session easily, so you do not have to authenticate too often.