I added Firebase integration to my Android app and unexpectedly ended up also getting Google Smart Lock password management behavior for free.
Although I am reasonably happy with the behaviour, I'd like to modify it ever so slightly.
The unexpected behaviour: I have a login dialog that's used to provide credentials to SMB shares. Now that I have integrated Firebase, I end up with the following unexpected addtion to my login dialog box:
What I'd like to modify: I'd like to constrain the login credentials to the target device (i.e. do not share userid/passwords across different SMB target devices), in the same way that Chrome does not reuse credentials across different web sites. (I think accidentally sending cached credentials to a machine they don't belong to constitutes a mild security risk). For the given example, I'd like Google Smart Lock to prompt ONLY for credentials for \lothlorien.
Entered credentials show up in my Smart Lock credential cache in my browser as being associated with my Android application.
Oddly, I didn't do anything explicitly to make this behavior appear, other than (1) add firebase integration, and (2) name the EditTexts in my activity. It's an Activity, not a dialog box, although it does use Material dialog themes.
If there were some easy way to associate them with credentials for "smb://lothlorien" (for example), I'd go for that.
Given that I already have functionality to cache and store credentials, and given the non-trivial nature of the Google Smart Lock apis, I'd be just as happy to disable the Smart Lock prompt altogether.
Either fix would work for me. Associate credentials with a specific machine; or disable the feature in the dialog box.
Related
I have a use case that requires the user to confirm device credential, and the createConfirmDeviceCredentialIntent method in KeyguardManager perfectly meets my need. However, this method was added since API 21.(reference link) So how can I achieve the same functionality before Android 5.0? I also want to support versions like Android 4.X.
Thanks!
Before 21 level this is certainly not possible on non-rooted device and there is no alternative with regular permissions.
If it is ok to require extra admin permissions, it is probably possible to emulate credential confirmation very loosely, with much more effort, by implementing DeviceAdminReceiver.onPasswordSucceeded. Lock the screen, when password succeeded perform the required action. This may turn out to be relatively complex because the action is not always received (only if status has changed), need to keep last success, communicate with receiver, etc.
As a side note, double check the use case and your design, in most cases when createConfirmDeviceCredentialIntent is used it is actually not required and other design choices may eliminate the need for it.
It was better to provide details of what exactly you are trying to protect. If it is a scenario for accidental access to the device by an unauthorized person and a permanent token is generated, say, from some oauth service, it may be reasonable either to reauthorize through the same service login flow or to store some hmac of original credentials along with token then prompt and re-validate credentials instead of prompting for device credentials. Alternatively, if that is enough for use case, you can use google login to authorize access to your app/token and verify google user is the same for the stored token.
The best answer I have seen for this situation is described in a blog post:
Android Secrets
However, it recreates system classes that are private and calls AOSP code that is not public. My bounty is for a better answer that would not require explicit Class naming inside the project. Perhaps Smart Lock or another awesome security library can be used for the backward compatibility I require.
Im developing an android application for the first time (no prior experience whit coding....). Mainly the app is going to be used at work as a tool for service technicians. The app is almost ready for field testing, but there is one thing i need the app to do before that. I need the app to force the user to log in every time its opened. This is because some of the info on the app is confidential, and only people that currently works for the company is allowed to have this info. Whit firebase i can then block the users that leave the company, or users that are not verified. Currently the users sign in whit google and they stay signed in until they clear the app data or delete it.
I have looked far and wide for the answer to this, but i have only come across different use of timers.
If anyone has a better solution to this "safety" issue, im open to anything.
If you are using Google Sign-In for authentication, there is no out of the box support for forcing your user to authenticate with Google every time they use your app.
This makes sense, because the user is still authed with Google on your phone. A login system only authenticates the user; it doesn't inherently protect data stored on the device. As long as Google has a valid access token, the user won't have to type a username and password again (and simply clicking "login with Google" again doesn't really provide extra protection here).
If your primary concern is blocking access to users who have left the company, you should be covered if you are using Google Apps for your company. If you disable the user's account, their access tokens should become invalid. Google Apps admins can also manually revoke access to specific apps for specific users.
If you don't use Google Apps (e.g. your users are using #gmail.com accounts or accounts from a domain outside fo your control), you might want to consider implementing a list of users allowed to access the application, and verify the current user has access by checking that list via an API call on launch.
If the goal is really protecting the confidential information in the application, you might want to take an approach similar to Android Pay in which you require your user to set and enter a PIN number to access the application. As an added benefit, you can then use that PIN to encrypt any confidential data you are storing locally.
I will suggest you take a look into shared preferences and every time when the user is back into the app you send them to the login activity.
Assuming an application that has no login, how can one go about allowing some of its user access to activate 'hidden' features.
An example I recently came across is the need for some users to see a different version of the data feed the app is using (official feed vs editor feed which is being modified/approved)
In android, I assume that we could just point those user to downloading a specific file and test for that file presence in the app but I dont believe this approach can be used on iOS (sandbox).
The approaches I came up with:
Hide an activator in the UI: specific touches/gestures, invisible button and the like
Make the user visit a site which sets a cookie when on a specific page and test for that cookie's value in the app to enable features.
Did someone came up with a more elegant solution?
You can try any AB testing tool like Optimizely , Apptimize, Taplytics or MixPanel
They will help you to try new features by enabling them to only a group of users. Also you can set goals to each variant so you can compare how they perform.
Create a settings bundle. Then the user can just go into the Settings app to switch your 'hidden' behaviour on and off.
In iOS you can register an association between your app and a file extension. Then if you send an iOS user an email containing an attachment with this file extension, iOS will open your app and you'll have access to the file. You could save to the sandbox from there.
Just Like In-app purchases, when user completes a purchase some of the features in application gets unlocked.
I think best approach would be to have data maintained on your server end, the users vs features and in splash screen you get the response from server which of the application's feature are enabled for this user using a service call.
Obviously you must be needing some kind of business logic to implement the flow of enabled features in the application and that is totally up to you whether you use SharedPreferences of keep the information in txt or some other files.
A legacy setup we have means that we have the following:
Facebook app used for login onto Android devices
Separate Facebook app used for login on iOS devices
The issue this has caused is that if a user switches between devices they get a 'this email address is already in use' message from our server.
I need to find a way to get any users logging in on the two platforms to just be able to do so, and i assume the best way to do that is to:
Add Android as a platform on our iOS login
Change the Android app to use the 'other' login/app id (iOS)
Log everyone out on next release of our app (on Android)
Re-authenticate those users on Android as they log in (as we are making them use a new app id)
The key thing is for us however, that
The Facebook login is associated to their entire account (which is hung off the email address) and they have lots of content in there, so we cannot get those Android users to lose anything
We need to let them do this because we WILL already have used that email address if they are logging back in
Will the above strategy work to do this? Any pointers or recommendations on best strategy for this would be hugely appreciated.
You can use this API to link your users across the two apps: https://developers.facebook.com/docs/apps/for-business
Just keep the two apps as separate apps and link them under a single business. Then, when a user logs in you can check if they have already logged in before using the other app.
I am developping an Android application that uses a Facebook component. It would be something to simplify the management of the Facebook privacy settings with the user only having to push 2 or 3 buttons to apply a whole set of privacy parameters to his/her account.
For example, by pushing the button "paranoid", my settings change as:
default privacy for new wall posts = only me
secure browsing ON
...
And by pushing "free givaway":
secure browsing OFF
default privacy for new wall posts = everyone
...
Just an example.
I'm just beginning, so I had a look at the Facebook SDK for android, implemented the few examples like the Hackbook, etc.
But I'm still wondering how to manage privacy settings. I understand it would be a security concern to let an app manage that kind of thing, but why not?
Since I couldn't find a clear answer inside the bowels of internet, my questions are:
Is it doable? Or even partially?
If not, why? Will it be possible in the future?
If yes, how? What part of the API should I use?
Thanks.
This is not doable via the graph API because managing settings isn't available to write/update. I am almost positive this will never be available via the API. The Facebook native app may or will allow this but Facebook itself makes that app and doesn't use their own api for their app.
If you really wanted to do this, you could break Facebook's terms of service and do this via scraping Facebook's desktop site.
https://developers.facebook.com/docs/reference/api/post/
From Above link : The value field may specify one of the following strings: EVERYONE, ALL_FRIENDS, NETWORKS_FRIENDS, FRIENDS_OF_FRIENDS, CUSTOM