I have an android and iPhone app, and the apps are getting data
from my website based on some conditions they select on the app.
I created a secured url that is not open to the public (can't be find on our website) and using a hash code that I thought was secure enough. Something like the following
http://test.com/data/get_data.php?key=akl;sd8234
The extra conditions they select in the app will be append as query parameters to the same url.
Base on the condition, the php file will then out data in json format.
However, I discovered recently someone else create the exact same app and actually getting data from my server, and from the secret url that I created. The reason I know is because I change something on that secret get_data.php page and it reflected on their app.
I don't know who they get a hold to my url, is there a way to create a more secure way to pass the data from my web server to the app so others can't steal my data?
You should create an API with Basic Auth or OAuth. You can't rely on your URL because it can be caught in logs.
Check this course out
In addition to shayegh's answer, you need to understand that every endpoint that you access within your application is public by nature. Everyone can access your server's endpoint just as well as your mobile application (created by you) can. However, you can make your server's endpoint protected by adding authorization requirements on your endpoint.
Authorization
There are many authorization protocols out there, OAuth, OAuth2.0, Basic Auth (credentials like email and password), etc. All of these are just ways to grant anyone access to resources in your endpoint. Think of it as a lock on your home door, only someone with a key can go into your house and make a mess.
Please keep in mind that this is a very simplified version of what authorization protocols actually look like, how it actually secures the distribution of access keys/tokens, etc.
Additional questions and answers
I tried to generate log files from my android phone, and I can't seem to find the .php file from the log files. Is that possible for someone to decode the android app or the iphone app so that they can view my source code?
Answer: I would always assume that everything that is happening on client's side (mobile app, WebApp's front end, etc) is beyond my control. That means anyone can access, read, tweak my client applications. With that said, I would assume that it is indeed possible for someone to unravel your android / iPhone app (get the source code) to get your client side keys.
How would this (OAuth/basic) help? Surely the person creating the other app would just add the OAuth/basic auth as well, wouldn't they?
In order for that other person to access the protected endpoint they would need to have access to your access tokens of the original app. On top of that, they would need to do it fast because usually access tokens only lasts for a short period of time.
Will using Basic Auth or OAuth key works if they are able to see my code?
Yes and no, depending on your implementation, attackers might be able to unravel your app and somehow fetch user's credentials or tokens from bad practices.
Related
I'm developing a django web-project and I'm going to develop its IOS and Android API.
Is there a way to avoid using hardcoded url addresses in the app code?Something like django url name system
The following problem faces me if there isn't any solution to my question:
If I want to change some of my urls, I should change the app code and also all the previous installed apps on peoples' devices won't work and should be updated.
The way I see it, you probably have two options:
a) Code very generic forwarding links into your app, such as:
http://www.example.com?linkid=1
http://www.example.com?linkid=2
You can then, from your side, forward these on to where you need them to go by using the query string ID number.
b) Write a web service to push updated URLs to your app, maybe on load so you're not polling the service all the time.
How often are the URLs likely to change?
So, I am trying to use GroupMe's API. The issue is that I don't really know how to get the users access_token once I send them to the site to login. I don't really know how to create a callback or how to use it. So to sum it up
I need to send users to this site
https://oauth.groupme.com/oauth/authorize?client_id=CLIENT_ID,
then they login and groupme sends them to here
https://YOUR_CALLBACK_URL/?access_token=ACCESS_TOKEN.
But I don't know how/where to create a callback url. Then I don't know how to send that access_token back to the app.
Thanks.
A callback URL is simply a url exposed by your app that groupme can redirect users to. The page can be anything, however, oftentimes it takes the user back to your app if it is a webapp, or tells the user to close the page.
The important part is that the url is one that the app controls, so that it can get the contents of the url that contain the token and other data.
If you are writing a web app, then the framework or language should a method or variable you can call or read to get the url. If you are writing a desktop/moble app, one way of creating a callback url is to listen on a tcp port and speak http to the browser. Another way is using a lightweight web server library, or use a lightweight external server like lighthttp and communicate using cgi/fastcgi. All that matters is that you can get the url that groupme se,t the user to.
If you need anymore help, you are using Oauth2 so search for help with that. Nothing that you asked about here is specfic to groupme, so you should be able to use any OAuth2 library.
i want to develop an authentication web service, which can be used in an android app to login and have access to other services. So basicaly i'm sending credentials over HTTP requests and granting access to the user if everything is good. I need to secure those credentials so they cannot be intercepted by an unwanted user.
I'm using eclipse with Tomcat 7, Jersey for my rest webservices, spring and hibernate.
My webservice goes something like this
#GET
#Path("/login/{id}/{pass}")
#Produces(MediaType.TEXT_HTML)
public String login(#PathParam("id") int id,#PathParam("pass") String pass) {
String res="Null parameters";
if(id!=0 && !pass.isEmpty())
{
try {
User user = service.getOne(id);
if(user.getPass().equals(pass))
res="Success";
else
res="Fail";
}
catch (Exception e) {
res="User not found";
}
}
return "<html> " + "<title>" + "Result" + "</title>"
+ "<body><h1>" + res + "</body></h1>" + "</html> ";
}
I'm using it to test with the browser, i didn't start coding the client yet.
I'm really scratching my head here, i've been looking around the web, some are talking about OAuth 2.0 and others about HMAC, and i don't know which one to use, and if there is another methode please let me know.
If you know a helpful tutorial about how to implement security to my project it would be great, any other suggestions are welcome. Many thanks
It really depends on the level of security you need, for your application.
There are a lot of complicated security systems, but for most applications these are quite overkill.
If you're simply looking for some basic protection of passwords, without dealing with payments or really sensitive data you could do the following simple things.
If you can, move your service to work through https. All data will get automatically protected by that already.
Hash the password. A lot of languages have build-in support already for simple hashing such as MD5 and SHA1, if not you can google their implementation, they are often used.
This means that not even you as admin know the real password. You simply save the hashed pass in your database, and compare hashes.
In your client-side, add a salt to your hashing. Probably if you google step 2, this will already be in there but otherwise it simply means that you do something like hash("132rjfASDF!"+password"+vnsadfr1!Z"); to make it even more random.
These simple steps can be achieved pretty easily and fast, and will provide your service all the security it needs most of the times.
If you're really dealing with things such as payments and sensitive data, you should look into more serious solutions.
ps. Don't think that using 'post' instead of 'get' is any kind of security and it really doesn't matter which you use for this, from an Android point of view. People will have to use a program to fetch network connections anyway to see the link come by (per example WireShark) and in that reading GET parameters is just as easy as reading POST parameters.
There's a fair bit of confusion in some of the above answers, and indeed the question itself. Some notes:
First off, REST is meant to be stateless. As such you should not have a 'login' function that sets some sort of server-side flag but instead should pass credentials with each and every request
Handling the credentials should be done in Jersey in a filter rather than in the individual resource methods. There are various examples on Stack Overflow that show this
If you are storing passwords on your server then use BCrypt to hash them. Bcrypt allows you to dial up the time taken to calculate a hash, so gives some measure of future-proofing against Moore's law
You should use HTTPS for all communications. It gives you another layer of security and protection for cheap (programming-effort-wise, anyway)
If you want to protect the information in your request against tampering then you should look at something like Hawk. This gives you the ability to protect your request headers and body against tampering, and can also work as an authentication mechanism as well
There is a lot more to securing your REST endpoints properly, but if you follow the above you'll have hit the major points.
usually username and password are sent thorough post request which hides it from user.. which is good incase some one standing over your shoulder and if they could see the url then they could see your username and password... other than that use SSL on server side..
I don't want to publish my app on Android Market, but i would create a license key from my website based on the MAC address of the user device. It should include also expiration date.
Once the user enters the code in the android device it should be recognised.
I've read that it can be done by using custom public encryption. In this scenario i should implement:
A function in my application that takes the MAC address of the
device and shows a string to the user.
A function on my website that owns the private key and cipher the string at point 1. and adds expiration date
A function in my application that decipher the string at point 2. using the puplic key and validates the license key.
I've read many discussions on stackoverflow and other sites but nothing applicable... or it is not clear how to apply in my scenario :(
Can you provide me e way to solve this problem? is there something that is android native that i'm missing (i hope) ?
Many thanks!
Marco
I see nothing really difficult to implement your intents:
Your licensing server must have its own private and public key pairs.
Then you have to create private key in your application during 1st run/install. It can be done just randomly
Then you have to interchange between your application and server with public keys
During buying/licensing procedure your application should encrypt MAC address or other (gmail id, IMEI code whatever) send to server - server stores key
In order to check validity of license application sends to server cipher of MAC - server checks it against stored in database
If you don't know how to implement private/public keys stuff - read manuals, there're a lot of implementations of Diffie-Hellman's procedure - it's easy and nothing special there
I was looking to implement licensing on apps that are not distributed through Play and came across this:
https://code.google.com/p/droidactivator/
Maybe it will help you too?
In my Android application, the user can submit content to the database which can then be seen by all the other users as well.
This new content is sent to the server via GET request:
http://www.example.org/API.php?newContent=helloWorld
The problem is: If a user finds out what this URL looks like, he could easily sent malicious requests in his browser and circumvent the Android application. Maybe one could decompile the app and find out about the URL.
How can I protect access to this URL and prevent users from accessing this API directly?
Is it a good solution to generate a hash in the application and compare it with a hash generated in the API.php file on the server?
Couldn't one find out how the hash is generated when decompiling the application?
Thank you very much in advance!
So the only way to truly protect that URL is by requiring all requests to it be authenticated.
One way to do this is change your request to a POST request and send along some sort of auth token (a simple hash will do) with the request. If the auth token isn't present, simply don't respond to the request. The hash would be something you'd hardcode into both the client and server.
Now the question is how to hide your auth token. As long as you're not open sourcing your code, the only way for someone to get at it would be to decompile your program as you mentioned. To guard against this you might want to look into using proguard (http://developer.android.com/guide/developing/tools/proguard.html).
Something to keep in mind is that this method contains a single point of failure. If your auth token is ever exposed, you're done for (e.g. the HD DVD AACS cryptographic key debacle).
One other way to authenticate is on a per-user basis. As long as a valid user is making a request, you shouldn't really care whether or not the request is coming from the web browser or android app. I think this is a much better way of doing things. By doing this, you can throttle requests on a per-user basis. This however requires you to manage user profiles and the whole can of worm that comes along with it.
All that said, at the end of the day though you shouldn't really care if somebody knows the url to a portion of your API. I don't know your particular use case, but there's got to be a way to design your API so that you don't care how you're getting your requests. Also, if your doing a true GET, then you shouldn't be changing anything on the server. This means that all the 'malicious person' can do is get data off of it. This severely limits the damage they can do. In fact, unless you have sensitive data that you don't want certain people to look at, you don't really have a problem at all. If you do, then you should really think about my per-user authentication solution.
Don't trust the client for validation. This is true if its javascript in a web-browser or even some locked down platform like the Iphone.
If the app can make the API calls, then clearly everything needed to make those calls is on the phone ( secret, hash function, API key, whatever), then someone can always dump the phones storage and get all that data. They can then make whatever request they want.
What you want to do is authenticate the user and then validate the input on the server side.
Use SSL (HTTPS) for your data transfers. The exchange is encrypted before any data is sent, so anyone listening in won't be able to see either the URL or data that is sent to the server. To verify this for yourself, install Wireshark on your dev system and load the URL into a browser. You'll not see any data in the clear (either the URL or the data that is sent via either GET or POST).
You could use a somewhat confusing java method to obfuscate every letter of the URL. So kind of creating your own dictionary in a way which could make the URL possibly appear as 123.3*15*13 or something like that if someone did decompile the APK, they would have no idea. And on that note, you would ideally use Proguard to obfuscate it, so your obfuscation would make no sense to someone trying to reverse engineer.
You could make a short java method like this:
public String confuseString() {
Stringbuilder sb = new StringBuilder();
//your real URL would be abc.com, but in the app you have myURL = 123.3*15*13
//With what I'm saying the * would precede a 2 digit number that represents 1 letter
for (int i = 0; i < stringLength; i++){
String letter = myURL.charAt(i);
if (letter.equals("1"){
letter = a;
sb.append(letter);
} // you would go one to code each character into a letter
}
}
There would be several more if statements of course, but it would allow you to obfuscate your url without making any server side changes. And if you use Proguard, then that entire method that you create would make absolutely no sense to someone trying to reverse engineer.
You could of course make your obfuscation much more complicated than what I suggested, but it's an idea anyway.
Basically you'd be encrypting the URL in a very confusing fashion.
Here is an answer which may be a better method of encryption or at least give additional encryption:
Java - encrypt / decrypt user name and password from a configuration file