I am trying to setup custom authentication with my firebase system, I am looking at this firebase link and this one. I noticed with this approach you need to send the users credentials to your server:
However, I have implemented our system in a different way - where when the user enters their display name the credentials are posted to the server, the db will check whether these credentials are stored in the db and only if they are then the encrypted password shall be sent back to the java class where it will be stored in a string and decryted.
The password will then be compared with the password entered, if they are correct I want to generate the custom auth token with this method
mAuth.signInWithCustomToken(mCustomToken)
and then allow the user to login. So basically in short I want to create the custom auth token in my java class which is part of the application.
P.S I am using firebase realtime db as my db
Related
Since I want to fetch data without authentication for my app, my security rules look like this:
{
"rules": {
".read": true,
".write": false
}
}
But Firebase said if someone has this URL he can fetch my data. How could I save my data. My app doesn't require authentication. How could I resist other, or what configuration I can set so only my app can fetch it.
In simple words,
No one should allow to fetch my app data(firestore) without my app. Where my app doesn't require authentication.
What you're asking for isn't possible. These things are all exactly the same:
Accessing data via client SDK without authentication
Accessing data with the REST API without an authentication token
Accessing data in any way without using the app itself
If you want to restrict data to your app only, you will need some form of authentication provided by Firebase Authentication.
You have to use firebase Anonymous Authentication, This authentication doesn't require user input like email, password, SSO, etc. You can just set the code inside a button to Get Started, So firebase will automatically create a userID for each user.
I am integrating log in in my app. There is a requirement for log in without internet connection. Means first time when user gets login there will be a web service call for log in authentication but next time the web service call should not be needed it should authenticate from local db of device. First time on log in response I am saving user credentials in local db (means device db using sqlite) and for rest of the attempts I am matching credentials from local db for authentication. For authentication, password is a plan text in local db and I am matching plan passwords. It this good idea/approach to match password as a plan text or I am supposed to be using any encryption? If encryption is required so why is it needed so. I mean when db file is stored internally no one can fetch password.So why encryption is needed?
Never ever store passwords in plain text anywhere. Event when it's local and nobody has access to it.
The better approach is storing it using a hashing algorithm along with salt so the if password is leaked somewhere, no harm should come of it.
You can then hash the input password with the same algorithm and verify it with one you have previously stored.
Here are some links to get you started on hashing:
https://crackstation.net/hashing-security.htm
http://howtodoinjava.com/security/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/
I'm working on an app that has PHP classes to connect to the web server for login and other database transactions, and SQLite serves as a local db to store user credentials.
I'm not sure if the SQLite maintains the user session or not but it keeps the login status until the user clicks on the logout button.
How would I implement the session(or something) so that the user can make other database transactions based on the user ID throughout the states?
Some say to establish session in PHP and other say to use preferences.
What would be the best solution for me?
Maybe I shouldn't ask that but, well, are your webservices RESTful or not ?
If they are, I read a lot of discussions about not keeping user sessions on the server, but instead authenticate user at each request (using his credentials or more secured authorization systems).
Otherwise, yes, you can just create PHP sessions server-side when a user is authenticating. You store the session in a specific table, containing a fk_user_id field, and you send back the session_id to the client application (android app in your case) once the authentication process is over. Then the session_id is stored (in user-preferences for example), and sent along with each request in order to retrieve who is asking data, thanks to the sessions table and its fk_user_id field.
Im using MySQL with PDO PHP scripts to maintain a user database and a highscore database.
When a user obtains a new highscore in the Android app, I send it to the server:
https://domain.com/phpscript.php?user=username&newhighscore=highscore
In here username and highscore are variables. Every web browser can access this url. If anyone decompiles my app they will know where my database is located and they can fake their highscore. Obfuscation and encryption for the url is probably not an option since they can always be reversed.
Is there any way I can protect these URLS so ONLY my Android app can access these pages, and not just any browser?
If a call to https://domain.com/phpscript.php?user=username&newhighscore=highscore is all you need to update the highscore for a user, you are in deep sh*t.
You need some sort of authentication - which is what you might mean with "ONLY my Android app can access these pages", here are a few ideas:
On first start of you app call another script to facilitate exchange of some token. Store this token in your app and in your server-sided DB and use it as a verification token, e.g. https://domain.com/phpscript.php?user=username&newhighscore=highscore&salt=abc&auth=xyz with abc being a random salt and xyz something like hash(encrypt("user=username&newhighscore=highscore",key=token,iv=salt)+salt)
use the phone ID as part of the authentication scheme
I am thinking about the design of an android application which will need to create user accounts and have some information about the app users. While researching in the internet and the developer site, I got the impression that to maintain the database , you have to have a server.
What if I don't want to maintain the account information in my own server (i.e. I am not willing to maintain my own server for this), what options do I have and what will be their drawbacks (if any).
If there is no other choice but to use a server, then can I get suggestions as to how can I modify my design so that I don't have to use a server.
I am a novice at this field, so I would appreciate advice.
Thanks in advance!
Create external database file with credential table in this table create appropriate columns like username,password etc..here if you have registered users then store those users details in credential table.Finally copy that database in assests folder then using SqliteOpenHelper class copy that external database to phone memory.Here you need to maintain registration page with conditions.If the user completes the registrations procedure with your conditions then store his/her details in credential table.When user wants to login to the App please check the username and password in credential table.