I got my Android Application to successfully pull the user's profile via Google People API to get the Person object. I am also successful in grabbing the user's birthday and gender from that object. Though after testing with my own Gmail and switching my account's gender and/or birthday to private, I was getting no response back from the API calls.
I am wondering if there is any way to be able to pull this information even if the user sets it to private? If I do a verification submission to Google of my application with the request scope of https://www.googleapis.com/auth/userinfo.profile to get the user's profile, will there be an option to request to be able to read private data as well if it gets approved? Or am I out of luck getting the privately set data for the user? (This is mainly just to help the user not have to worry about additional screens for entering in data).
You can get it by requesting non-public profile scopes.
More information here : https://developers.google.com/people/v1/how-tos/authorizing#profile-scopes
Related
I need to fill data safety form in google play console. I have few doubts.
Name and email
Usually in android phones, the user logs in with a gmail id before starting to use the phone. This gmail id can be requested by the app like a permissions alert dialog. Now my doubt is, I am getting user's email id not like this but as a form submission. User types his email id. Now what should I mention in the data safety from. Should I mention as collecting or not collecting.
Location
Another similar doubt. I am not getting location using permissions. But the user types his zip code/pincode when adding his address. Should I mention collecting or not collecting.
Thank you in advance. If anyone needs more details, mention in comments and I will add it.
I think you can state both as collecting.
According to User Data
You must be transparent in how you handle user data (e.g., information collected from or about a user, including device information)
is going to be as data collection about the user.
I am working with Cloud Firestore and I came to the question on the top. I will set you an example
The user installs the app and log's in with Google. I save the log-in information in the device storage so the user does not have to log in every time. It is also stored in Firestore with a generated ID.
The user plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
How to avoid this? I want the app to remember the user account in some way. The user account would be stored in my Firestore.
According to the docs:
For Android and iOS, offline persistence is enabled by default.
Meaning that by default, Firestore creates a locate copy of the database on the client's device.
User installs app and log's in with Google.
So I assume you have already implemented Firebase authentication with Google.
It is also stored in Firestore with a generated ID.
Without seeing that "generated ID", it's hard to say if it's the correct ID or not. The idea behind this authentication is to sign-in your users with Firebase, no matter what the provider is. Furthermore, if you want to save user data in Firestore, store it into a document whose id is the user ID that comes from the authentication process. In this way, doesn't matter what the provider is, you'll always store the data under a document whose key will never change.
User plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
It's true that if the user uninstalls the app, all the cache is wiped out from the storage, including the log-in information. That being said, bear in mind that you should never store such information on the disk. When using Firebase authentication, there is no log-in information that needs to be stored. If you didn't still implement it, I recommend you start with the docs.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
This is only happening if you are using a type of ID other than the one explained above. If you had used the ID that comes from the authentication process, the second time the user tries to sing-in, even if using a different device, he'll be recognized as the same user with the same data. In this way, the user will be able to access the same document with the same data and recreate the local cache.
Im not sure in which framework you are working in to create the app, but firebase sdk has sign in along with create user with email & password. Needed data could be saved to user's document on Firestore.
Im developing an android application for the first time (no prior experience whit coding....). Mainly the app is going to be used at work as a tool for service technicians. The app is almost ready for field testing, but there is one thing i need the app to do before that. I need the app to force the user to log in every time its opened. This is because some of the info on the app is confidential, and only people that currently works for the company is allowed to have this info. Whit firebase i can then block the users that leave the company, or users that are not verified. Currently the users sign in whit google and they stay signed in until they clear the app data or delete it.
I have looked far and wide for the answer to this, but i have only come across different use of timers.
If anyone has a better solution to this "safety" issue, im open to anything.
If you are using Google Sign-In for authentication, there is no out of the box support for forcing your user to authenticate with Google every time they use your app.
This makes sense, because the user is still authed with Google on your phone. A login system only authenticates the user; it doesn't inherently protect data stored on the device. As long as Google has a valid access token, the user won't have to type a username and password again (and simply clicking "login with Google" again doesn't really provide extra protection here).
If your primary concern is blocking access to users who have left the company, you should be covered if you are using Google Apps for your company. If you disable the user's account, their access tokens should become invalid. Google Apps admins can also manually revoke access to specific apps for specific users.
If you don't use Google Apps (e.g. your users are using #gmail.com accounts or accounts from a domain outside fo your control), you might want to consider implementing a list of users allowed to access the application, and verify the current user has access by checking that list via an API call on launch.
If the goal is really protecting the confidential information in the application, you might want to take an approach similar to Android Pay in which you require your user to set and enter a PIN number to access the application. As an added benefit, you can then use that PIN to encrypt any confidential data you are storing locally.
I will suggest you take a look into shared preferences and every time when the user is back into the app you send them to the login activity.
In my app I am using the Google API Client with the Google Plus API to get a Google Plus Person's friends.
I want to do this without making the user sign-in.
When a user signs up with my app's account system, they can link their account with Google Plus.
I can store any values in my app's account system, and I have tried storing the Person's ID, which I got like this:
I store the Google Plus Person's ID in my app's account system. Here is how I get the Person ID:
Plus.PeopleApi.getCurrentPerson(
mGoogleApiClient).getId()
I don't know if this is the right approach though, and I couldn't find a way to retrieve the Person later by his ID.
How can I later get an updated instance of the Person object from Google Plus?
Plus.People.load() takes a list of personIds and returns a Person object. Note, however, to do this call:
This call returns all information in Person, but only for the people specified and for data that is public in their profiles.
Required Scopes: SCOPE_PLUS_LOGIN
Meaning you must have a connected GoogleApiClient with the proper scope and you'll only get back public information.
I have a private app which works totally offline (i.e. no server data sent/recieved), however I have a need to restrict it only to users with a valid Google account on their phone. I can get make sure there is a suitable account on the phone by iterating a list of phone accounts, but is it possible to check the account is valid/authenticated without me having to introduce the full OAuth process? I have no need to get a cookie or send any data to a server.
Ideally I'd like to do something like:
1. Check with the account manager for an auth token.
2. If token recieved then allow access to the app.
Currently without any checks via the account manager, anyone could create a fake account on the phone and then gain access even if they put in a email/password and they would never be authorised.
I hope I've explained this clearly. As my app has no network connectivity so I would like to avoid adding any of my own network/oauth checking.
What about this:
AccountManager manager = AccountManager.get(this);
Account[] accounts = manager.getAccountsByType("com.google");
final boolean connected = accounts != null && accounts.length > 0;
The connected boolean will indicate if there is a connected Google account in the phone.
Indeed there won't be any check on the token, but if the account is registered on the phone, then Google checked it before, server-side, to validate it...
How about implementing Google Plus login API? It's not really setting up a full OAuth process since G+ it's fairly simpler, even if it is actually built on top of OAuth.
I use that in an app I'm developing that also does not require online access (except for initial G+ login access).
What I do is the first time the app is run I present the G+ login button. After user clicks on it he can accept the permissions request from my app (to be able to retrieve user email and some basic profile info, i.e. minimum permission needed) and if the API client connects correctly then I present the user with the dashboard or home screen and also set up a flag in SharedPreferences about the user being already authorized.
In this way, the next time the user starts the app it will remember it was already authorized and just ask the API client to connect (only if the access was revoked from the account's Play Store website do we need to re-verify that the user auth is still valid), and everything should work. If the user revokes the access to his G+ profile from my app, I clear the flag so the next time the user runs it it asks for authorization again.
It's actually very simple and at least for my use case (Which sounds very similar to yours) it works for what I want it with minimum user intrusion.
I strongly suggest you try out something like this Google Plus login tutorial
Edit: You can also check this question I asked before, about working with multiple activities that need Google Plus functionality
Also, forgot to say that with this method you are always sure that the user account is always valid since you are checking directly with Google's servers about its validity.