I am creating a REST server that will be holding a decent amount of proprietary information. I want users to be able to access the information in only the intended way, which is through a map built into an iPhone/Android app. I require a verified email registration to access the server. I will be rate limiting the amount of information any identity can receive, however I want to take it a step further and prevent (or at least try to prevent) an identity from pretending to be my app and grabbing the information in plain text.
A successful example of this is Spotify, you can download as much music as you want however it is difficult(impossible?) to get at the files unless you are using one of their clients.
I have seen questions like this saying it is impossible: https://stackoverflow.com/questions/32084631/how-can-you-lock-down-so-only-your-android-client-can-interact-with-your-parse-p
However they do not explain techniques that companies like Spotify use to at least obscure the data. I am also ok with only holding one request at a time on the client and requiring that they are online in order to view the information.
tl;dr: What is a good way to ensure REST communication with a verified client(Android/iOS), and decrypt the information so that only my app can use it?
You could encrypt the information, I dont know much about this, but what I do know that there is a book called java with jax-rs which deals with the authentication you are talking about.
Related
Is there a way for a mobile messaging app to hold messages sent and messages received on the app without a 3rd party (e.g. AWS) having to continually store these messages? My purpose is to bring down my costs. I would still pay for data ingestion and data egression, but I'm hoping to not have to hold the costs of storage, but rather that users can store their important messages on their own phones, and delete them when they're ready. I'm imagining this is how the iPhone's Messages app works. In my mind, this is like creating a photos app, combined with a messages app, etc.
Any verification that this is possible or tips/links for such a practice would be very appreciated!
Yes, this is possible. A server located in the cloud can simply transfer data between two simultaneously connected clients, without ever needing to store that data to disk.
A portion of the data will have to be exist in memory of some form (e.g., RAM), at least momentarily. Taken to the extreme, this space requirement could be reduced to a single byte.
Storage is not particularly expensive, even for this use case. Nevertheless, if your architecture doesn't require any storage, then there's no reason to buy any.
I do not have any good links for you. I don't even know if this concept has a name. But you should understand that this is a very basic concept of computer communication/buffering.
If you've noticed that messaging services tend to like to keep your data in the cloud, well, (forgive my cynicism, but) that's probably just so they can mine it at their convenience.
I'm creating an App in which the user has to provide his credentials for a third party web site. My App uses this credentials to login in that website to perform some automatized tasks via Jsoup.
The problem I see is that when credentials are sent from the App to the Website, they could potentially be intercepted. Is there any way I can encrypt that data?
Credentials are not for a particularly critical service, it's nothing that deals with money or stuff like that, but I still do not want to expose passwords.
It's great that you want to keep your user's credentials safe. That's a good thing even if the service you're using is non-critical, since many users will typically re-use their passwords across sites.
As for what can be done, that will depend on what the service you are trying to use supports. The first question is whether the site uses HTTPS. You should definitely use it if possible.
Some sites also provide their own API's for interacting with them without going via their web-pages. I assume that may not be an option for you, since you are using JSoup, but if it is an option, look into what security features they provide that way.
If nothing else (or possibly in addition to anything else?), you might consider adding a section in your app with a paragraph with "recommendations for secure usage" or something along those lines. Urge your users to use a separate password for different sites, or at least for that specific site, to reduce risk. Be careful not to push it too much though - you want it to be a friendly reminder, and not a constant nagging.
I want users to send textual feedback to myself(the developer) directly(without involving Google Play).
Hence, I can get the suggestions to improve my app directly to myself, instead of users writing negative reviews on Google Play.
I do not own a website nor have access to any server.
I do not want to use ACTION_SEND, as that opens an email app.
I'm an android beginner and this is my first app.
Maybe that data can be stored in a database(on cloud, common to all users) that I can access at any time I want?
After researching, I think GCM is supposed to be used, but I no idea how to go about it.
Please tell me the easiest way to implement this.
Thank You.
That is not what exactly what GCM is for. GCM is primarily for sending data from the cloud to the the devices.
You are correct in thinking that one option is to store the data in a database in the cloud. You could use http://pythonanywhere.com free account and build a web app that provides you endpoints which will save and retrieve data to a SQLite db pretty easily (if you have knowledge of python and server side web concepts).
Another perhaps simpler option is to use a pre-existing cloud database solution http://www.parse.com is a cloud backend that also has a free-to-use option that you can use to store arbitrary data. It is pretty easy to get up and running if you follow their many nice Android tutorials.
One last option I will present is to use a Google Spreadsheet with a Form associated to it. Once you create a form if you know the right url and parameters you can send a post request to insert arbitrary data into your spreadsheet. I've created a library that simplifies the process of uploading. GoogleFormUploader. If you need help getting your form set up you can watch the relevant portion of my video tutorial covering this topic
I have an Android game and I want it to store data - say a high score for example - against each user on a server backend.
Here's a list of outrageously demanding requirements! It's unlikely any solution can meet all these demands, so I've changed/prioritised them:
Minimum/very easy server and client code
Free/cheap
Automatically scalable and no/little server maintenance
As secure as possible with minimum code
Seamless - no user action required to authorise/choose anything
I know about Parse, and that seems the easiest option but I'm concerned about the future cost and would prefer more control so I'd like some alternatives.
AWS seems a lot of effort, although it handles secure anonymous authentication fairly easily and well.
App Engine would be great if there was an easy way to secure requests without requiring the user to login or authorise app engine.
So... I want the seamlessness of Parse, the security of AWS, and the auto-scaling of App Engine. Also the ease of use/coding of Parse. Fingers Crossed. :)
Thanks
My advice: use Parse, but create enough abstraction/encapsulation in your models so that swapping Parse out for another service won't be so painful. But seriously, I don't think Parse will get expensive (or even not-free) until your app is seeing very high demand. Furthermore, the Parse guys seems pretty committed to openness: you can export your data as a CSV and they have a REST API so any type of program you write can access the data.
If you're determined to roll your own, I'd recommend creating a Rails back-end with Heroku. Piggyback SSL is free, HTTP Basic Auth is really easy in Rails, and the entire stack will play nicely with whatever db you'd want to use (I'm assuming NoSQL since you want flexibility).
Any PaaS that supports SSL and a dataabse will probably do. Estimate your traffic, data storage and processing needs and pick one that is cheap enough to get started. App Engine is going out of beta soon, and the pricing model will be changed, so if you want autoscaling you'll have to pay for it.
What exactly is 'secure anonymous authentication' and how does AWS support it?
I'm looking for suggestions for ways to share Android app data between phones running the same app. For example, lets say I have an app that stores a database of book reviews. If person A has a book review that person B doesn't have, what are the options for getting that information from person A's phone to person B's phone?
Currently, I'm aware of the following options:
- Upload data from person A's phone to a server, then download data from server to Person B's phone.
- Write code to have the phones sync up using bluetooth
- Write code to send SMS messages
I'm wondering if there are any more options besides these, and if there's actually a best-practice for accomplishing this?
Ideally, I want the users to simply click a button in the app to make the sharing take place, so I don't want to go down the bluetooth route because that requires the user to do a bit of setup (or assumes they already have set things up in the form of bluetooth settings).
Since the data can be of variable length and potentially large, I believe that would rule out text messaging.
As far as the server route goes, from what I understand this seems to be an ok way of doing things, but my problem is that I have no experience with having users potentially sign in to a server and then uploading data. I don't know of the cost concerns (if any), or of potential security concerns (allowing just anyone to upload data, I'm not sure if I would have to take steps to ensure someone couldn't bypass the app and upload malicious data).
So, can you guys give me suggestions and point me in the right direction? Thanks.
I'm wondering if there are any more options besides these
You could try generating a QR code and scanning it on the other phone. Beyond that, I think you have it mostly covered.
and if there's actually a best-practice for accomplishing this?
That is impossible to answer in the abstract.
Keep the database server side and interface with it via a web service
I too am looking for a solution to this very problem. I'll throw it out there that a fourth, or rather extension of your first option, is to use the Cloud to Device Messaging Framework, though it still requires (as best I can tell) having your own server, though I suppose you wouldn't need to store the database server-side longer than it takes to send the message, provided you keep it under 1024b (or whatever the actual size is).
I don't believe there is a convenient way to monitor/send email in the background. If I could have my app monitor email messages looking for a key subject, then parsing the body, I could probably accomplish what I'm looking for using email as the transport.
The problem with maintaining a server, is that you probably would need to build in a subscription fee to your app to cover the costs of maintaining a server, as one time sales may not be able to cover the ongoing expense.