So, I know the paypal sdk for Android is deprecated. I decided to use rest api, but I'm not sure how to hide the secret key that I need to get access tokens from paypal's server. I thought maybe I could set up a function in "firebase functions" but I discovered that outbound connections are possible only if one has the premium plan...obviously. Now I dont know how to do this with a simple php server; so that new users that sign in on my android app will be registered in the "firebase database" after receiving the paypal id-token from my php server. All of that without exposing the api secret and without using firebase functions for outbound connections.
Come on guys, just tell me how should I set the question. I don't need the code.
You could use sqlciper to store any sensitive information, like the secret key, on the Android device.
As for the network calls, it's not a complete solution, but running queries over https should be the start.
Related
My mobile app does some API calls during usage and some of them should not be possible from anywhere else (e.g. postman)
For instance if you have a database table user and a column membership and the app-user does an in-app-purchase an API call is made to update that row and change the column from e.g. standard to premium
Now in theory if someone knows the URL and sends an HTTPS request he could upgrade himself without purchasing anything. I am researching for a while now but feel a bit lost. There is no registration or login. I use the unique hardware ID of the users devices as a primary key to store everything in the database. I thought about something like:
When the user opens the app a request is send and the server responds with a randomly generated key
All requests the user makes have to use that key which I would send in the header otherwise it gets rejected
Is this the only thing I can do? What is the best practice for a mobile app that does not use any kind of registration?
If it matters I used flutter for the app and flask for the backend that is connected with a postgres database
edit: I am using HTTPS everywhere not HTTP
If the api is open as you have described in the architecture then there is no way this can be achieved without having a login mechanism like OAuth or one of those provided by Google Login or Facebook Login. You will have to provide a way for client device to tell you who are you talking with.
Else you can hide this api behind a closed network so that only server can call this api which will only do so after a successful response from the payment gateway. That way you can enable the hit to come only from the specific server ip address.
Also the fact that you want HTTP instead of HTTPS makes this very vulnerable to a number of attacks.
At the moment, my app (Android and UWP) uses Azure Easy Tables. To upload/update/delete items in the easy table, a user has to be authenticated. But I only want them to be able to authenticate in the app.
Is there a way to restrict this authentication process to only accept authentication requests coming from my apps?
There's really no reliable way to authenticate your client. You can use and validate an application key as documented here, but if you're shipping your application with that information, those wouldn't be difficult to extract.
Alternatives are available (different ways to "fingerprint" your app) and while make it a bit more difficult for other clients to use your API, but none of them are foolproof.
Properly authenticating and authorizing the user is sufficient to guarantee that data is only accessible by users with the required permissions, but there's not a way to absolutely guarantee this is done from your client.
As the figure below, did you enable the App Service Authentication option of the Authentication / Authorization tab of your Mobile App to ON and with non-anonymous authenticate way on Azure portal?
If not, please enable it to protect your Mobile App backend endpoints which include Easy Table, and you need to do the more authentication for calling your Mobile App backend. Please see the details at here.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I have a simple Google App Engine backend (written in Python) for an Android client. All the backend is responsible for is accepting a key and returning a value; it is a classifier in general, implemented simply by looking up the key in a Cloud SQL table, though this specific behavior will change in the future.
The backend and client communicate via Google Cloud Endpoints. I want to restrict access to my backend's API to only accept requests incoming from my client, and am wondering if OAuth 2.0 is really the way to do this.
I don't need any contextual or extra information from the user, and as such, don't want to have user action to grant any type of authorization. All I need to do is be certain the request came from my app. I was considering simply generating a static key and hardcoding it in my client and backend, but I thought there must be a more elegant way to do this.
TL;DR: How can I restrict access to my backend only to my client/app without needing user context/input, by OAuth 2.0 or otherwise?
I don't know if the OP solved their problem but I am posting this here for others. I have wasted quite a few hours on this particular issue.
Steps :
1.Create an oAuth 2.0 client ID for your Android client.
2.Specify the Client IDs in the allowed_client_ids argument of the endpoints.api. In this case (Android), supply both its Android client ID and a web client ID in allowed_client_ids.
3.Supply the audiences argument as well in endpoints.api which is set to the web client ID.
4.Add a user check to the protected methods.
5.Redeploy the API backend.
6.Regenerate the client libraries.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….