I'm creating an App in which the user has to provide his credentials for a third party web site. My App uses this credentials to login in that website to perform some automatized tasks via Jsoup.
The problem I see is that when credentials are sent from the App to the Website, they could potentially be intercepted. Is there any way I can encrypt that data?
Credentials are not for a particularly critical service, it's nothing that deals with money or stuff like that, but I still do not want to expose passwords.
It's great that you want to keep your user's credentials safe. That's a good thing even if the service you're using is non-critical, since many users will typically re-use their passwords across sites.
As for what can be done, that will depend on what the service you are trying to use supports. The first question is whether the site uses HTTPS. You should definitely use it if possible.
Some sites also provide their own API's for interacting with them without going via their web-pages. I assume that may not be an option for you, since you are using JSoup, but if it is an option, look into what security features they provide that way.
If nothing else (or possibly in addition to anything else?), you might consider adding a section in your app with a paragraph with "recommendations for secure usage" or something along those lines. Urge your users to use a separate password for different sites, or at least for that specific site, to reduce risk. Be careful not to push it too much though - you want it to be a friendly reminder, and not a constant nagging.
Related
I am developing a voting application based on Android. This app will be used to create user accounts, receive notifications and caste vote.
I want to develop a back-end server for this application which will also have an Administrator interface to create new voting events. I want to know what all options I have to implement this project.
The server must maintain user account records in a secure manner, send out one-time-passwords from email, have sessions implemented for users logging in from the Android App, send out notifications about upcoming events to the app.
What back-end technology, database, parsing(for communication between server and android application), encryption(for secure communication) should I use to make this possible?
I also want to know how would I be able to host this server, both on a local virtual machine as well as on an online hosting.
The scope of your project is far too large if you're wanting sessions, administration views, E-mail integration, encryption, etc., without even knowing how it would all interact, or even what language to use.
As for what languages / services you would need, it varies for each task:
For administration views, you're probably looking at either ASP.NET or PHP with a CMS.
In terms of security, you'd want either MySQLi, or preferably, PDO. Make sure to read up on how to prevent things like LFI, RFI, SQLi, and XSS if you want semi-decent security.
Both ASP.NET and PHP can handle sessions, and they're fairly easy to understand in either language, so that wouldn't be too much of a concern.
While you can send out E-mails directly using scripts like PHP's mail() function, you probably want a system that can easily monitor things like how often users click on certain links, where the people who click the links are located, what campaigns are most effective, etc. For that, you'd want a service like MailChimp, Marketo, or Pardot.
As for how to have the back-end interact with the front-end, you're working with Android, so you're probably working with Java. That means you would be limited to functions like HttpMethod. Having said that, you can create plain HTML applications, or use a service like PhoneGap. In either of those situations, you have AJAX at your disposal, which will make things a lot easier.
For hosting, simply do a Google search for 'web hosting service'. There's literally thousands of decent hosts. Some have better pricing than others, but some have better features. I can't really recommend any brilliant ones, as they all meet different needs. To host locally, you'll want either IIS, or WAMP / LAMP depending on whether you are running Windows or Linux.
If you're not familiar with almost every term that I've mentioned, then the scope of your project is too large, and you'll definitely want to scale back.
I don't mean to scare you off, just making sure you're aware of just how difficult it would be to put all of that together :)
I'm building a react native application where I am hard-coding credentials into the application. This is why I was wondering whether there are any security implications between communication with native modules and/or the ability the reverse engineer the application. If so, what are some preventative measures I can take to still have access to those credentials and have them locally. Please let me know if you can think of any other implications react-native has in terms of security.
Thanks!
I have a small answer for part of your question that I learned when working with penetration testers on an enterprise app that I created. When you hardcode a string literal it is very easy to pull out of your app. So in order to obfuscate that a little bit one suggestion I got was to append multiple strings together to get your encryption password. So when the hacker pulls the strings out of your app he doesn't know which ones go together and in what order to get the correct password.
And if you wanted to go a little further, he suggested that I use [SomeBuiltInClass class] in the password string as well so that even if a hacker pulls all of the string literals out of my app, no combination of any of them will get to the correct password.
[NSString stringWithFormat:#"%#%#%#",[NSString class],#"SomeIntermediateSomething",[NSData class]];
But even if you do all of this and the hacker has your application in a jailbroken device he can still see all calls and all parameters that your app pushes around, so they can still get the credentials if you pass them in any method or function. So pulling the password exactly when you want to use it is key as well. They can also run any method or function in your app with any data they wish, so they can get a password the same way you do if they know which functions to call.
I'm sure there are others out there who know much more than I, but those are some things that I have done in the past.
First rule - never store credentials in a mobile app. Bottom Line. Think this has been mentioned but worth repeating, see
https://security.stackexchange.com/questions/20294/how-should-an-application-store-its-credentials
I am creating a REST server that will be holding a decent amount of proprietary information. I want users to be able to access the information in only the intended way, which is through a map built into an iPhone/Android app. I require a verified email registration to access the server. I will be rate limiting the amount of information any identity can receive, however I want to take it a step further and prevent (or at least try to prevent) an identity from pretending to be my app and grabbing the information in plain text.
A successful example of this is Spotify, you can download as much music as you want however it is difficult(impossible?) to get at the files unless you are using one of their clients.
I have seen questions like this saying it is impossible: https://stackoverflow.com/questions/32084631/how-can-you-lock-down-so-only-your-android-client-can-interact-with-your-parse-p
However they do not explain techniques that companies like Spotify use to at least obscure the data. I am also ok with only holding one request at a time on the client and requiring that they are online in order to view the information.
tl;dr: What is a good way to ensure REST communication with a verified client(Android/iOS), and decrypt the information so that only my app can use it?
You could encrypt the information, I dont know much about this, but what I do know that there is a book called java with jax-rs which deals with the authentication you are talking about.
I am writing a basic app that interacts with a webservice I'm writing using AppEngine. I was wondering what the repercussions are of using login based authentication and managing users individually on the server side.
I know the business benefits of knowing your users and since I plan to eventually have some user generated content in the service, I realize I will eventually have to add it.
Right now, I'm concerned more about the technical aspects of adding this feature. What are the development and maintenance costs of adding these services right now versus adding them at a later point in time i.e. when the datastore is already populated with some 'anonymous' data and not user histories are kept ?
I know this is a vague question so I'll try to quantize the situation. Let's say we have an app that allows users to search the surrounding area for restaurants. The app only needs to send to the service the type of restaurant, say 'Chinese' ? The app is popular and gets a 100k users. Now we want to add a favorites system. Would we have been better off adding it from the start or is it better to wait to get some user and then add features ?
An underlying concept here is also the value that users attribute to a personalized experience and it would be great to get some insights from experienced App developers.
It seems feasible to build your system from the ground up using an internal unique identifier to segment user data. To start, just use the device's unique identifier to authenticate, then add a login-based scheme later.
I recently rolled my own api-based authentication system using GAE, and one of my biggest regrets has been not biting the bullet and doing it sooner. That said, if the context warrants (ie you want to test out a concept and see how well it resonates), I'd say you are safe going with an extendable approach, like the one I've described.
We have an android and ios app which sends data and commands to a server with http webservice. How can i prevent the possibility, that fake-clients also can send something to the server? How can I determine serversidely if the data/command really comes from our apps.
You cant really prevent it. There are several techniques to make it harder for people abusing your services.
A simple check can be to check the user agent calling your webservice. Another pretty common one is to use a simple authentication via user/password authentication on your webserver. The username and password will be embedded into your app.
If you have enough time you should think about using a combination of this two methods plus authentication with a embedded ssl certificate. You simply could add this to your project and if someone really want to abuse your service, he have to extract this certificate atleast form your application.
There are some other useful techniques but you cant prevent reverse engineering or network sniffing.
Sincerely,
fuxx
The most robust solution is not to try. Techniques like DasFuxx's answer suggests can make it faintly harder, but someone can always decompile your application and get whatever secrets you have embedded in it.
Instead, follow the rule of multiplayer game development:
Don't trust the client.
Don't think about your application as the user interface. Think about your network protocol/API as being the user interface; then design that interface so that it cannot be abused.
It may not be possible to do so completely, but insofar as you succeed, you have true security (rather than fighting the same losing battle as DRM systems).
I would implement oAuth. See the following link for more information on how to implement such a solution.
You can't. It's that simple...