I have a server developed in laravel. I have an android application that can send POST and GET request to my server. I found that i can send POST and GET request from any other systems if have the link to my api. I want to authenticate my API and only allow my android application to POST and GET from my API. Please note that i dont have user login in my android part. I simply want to authenticate my android app to access those APIs.
If you want only your mobile application to make API calls, you can't. Your API doesn't know who is sending the information, he can only check if the information is correct and proceed with your endpoint. Like others have said use JWT/Authentication to limit who can use your API by creating an account or requesting a token, but there's nothing to prevent the user from taking his token and use it on his browser or tool of his choice like Postman.
Related
I had created an Android app that requests resources from the server using Rest APIs. Now how can I check on the server side that the request is from the app and its not from the Postman.
For example,
I am using the following endpoint to get data from the server.
https://api.example.com/get-data/{id}
Now, this endpoint is also accessible from a browser. Therefore I want a solution to make the API in-accessible by all other means. ie. It should be only accessible from my android app instead of any browser, Postman or an android app that is not built by me.
In other words, I want my android app to send a special piece of information that helps the server to authenticate the app.
Besides this, I am also concerned about someone to decompile my APK and take out that information to make API requests.
Note By special information I mean a security key or a mechanism to generate that key.
I am looking for something like the "origin" header that is set by the browser by default and no one else can change this header even the developer of the website. Does anything like this exists in android?
You need to implement an API token, that behaves like a password for your API.
A simple way of doing this is using the Bearer Header with the token value to come from the API and every request you send via your app should include this token as a header.
An example is the Slim 3 Token Authentication which does this for Slim 3 Framework APIs. IF you are using laravel API, try https://laravel.com/docs/5.6/passport
I have a laravel backend which has rest api. But I want my rest api to be used only by my android app. So how do my backend know that the request is coming from my android app only and not from web or another app?
NB: I don't want the users to accept some login challenges.
you can use jwt. Each time you execute a request you must obtain the token. The token ensures that the user belongs to their service. The token must be saved in some way in your android app to return that response to the api rest.
https://github.com/tymondesigns/jwt-auth
Also keep in mind protect your endpoints in the api rest:
Route::middleware(['jwt_auth'])->group(function(){
Route::group(['prefix'=> 'V1'],function(){
Route::post('/endpoint', 'V1\EndointController#store');
});
});
I have an andorid app and i am trying to implement linkedIn login in it.
LinkedIn SDK has been successfully integrated and i am getting user information as well along with the email address.
Here is how my application works for google login :
1) get access token on mobile
2) send email address with access token to server
3) fetch details of users with access token i received via webapi of google.
4) if the response email matches with the email received from mobile device then check for account exists or not of that email address . If not create account and login other wise login.
Problem with linkedIn :
The access token i have received belongs to mobile sdk and i cannot use the same token to make REST API request. (as per documentation)
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only useable with the Mobile SDK, and cannot be used to
make server-side REST API calls.
Similarly, access tokens that you already have stored from your users
that authenticated using a server-side REST API call will not work
with the Mobile SDK.
So how to verify details in step 3) i mentioned above on my webserver ?
Is It a disaster ?
I am sure there has to be a way to do what i am trying to do, as there are many applications which let their users login through linkedin on their mobile apps.
Because if its not possible then anyone can easily change the email address the mobile app is sending to webserver after receiving from linkedin and i can login with any email address i want by doing that.
Like you said, you can't do it.
Instead you have to use a different approach, get the required info on the device, returned by LinkedIn and send it to your server. Use HTTPs connections to avoid MITM attacks.
If you app is downloaded from official information shouldn't be modified on device.
ANOTHER SECURITY MECHANISMS:
If you want more security, you could for example encrypt data on server, send HASH to mobile, use your LinkedIn token to consult information and with another algorithm compare that data received is the same.
But I think that this a too expensive mechanism that should be resolved only using HTTPS connections and not downloading the APK from non official stores.
The docs state clearly that you can't use the AccessToken obtained from the Android SDK to make your own REST API calls.
However there's a way to make REST API calls with the mobile SDK, check the Making
Authenticated REST API calls
from here: https://developer.linkedin.com/docs/android-sdk
If you want to retrieve the user profile info, you'll have to do it using the mobile SDK.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….