I am implementing Google's Smart Lock for Passwords on Android service on an Android app and while the provided API gives you the ability to retrieve saved credentials, save new credentials, save multiple credentials and delete specific credentials, it effectively provides no way to CLEAR all the saved credentials for a particular app. Not only is there no direct API to clear all the credentials, but there is no programmatic way to list all of the credentials in order to delete them one-by-one.
While the user can log directly in their google account in order to delete the saved passwords directly, this does not fit into any reasonable user interaction flow. The only other idea I can think of is to prompt the user with the list of credentials, have the user 'choose' one at a time and then delete the chosen credential, which also seems like a very unwieldy and confusing flow for users to follow.
I have tried the 'obvious' solution of passing a null credential to the .delete() API or creating a credential with a null identifier.
Is there any known method of doing this that does not result in a really terrible UI experience of the user?
There is no way via the API to delete all credentials programmatically, since this is not a typical user action (and it is a bit dangerous to delete all the user's data, would probably need a confirm UI or undo, etc.)
But as noted in the question comments, it could come up in testing, so easiest recommendation is to clear out all saved credentials at https://passwords.google.com or chrome://settings/passwords (but it takes a minute or two for the changes to sync to the device).
If you have more feedback on a user interaction that would require this functionality in the API, please leave a comment!
Related
Im working on a project where a user isn´t forced to sign up a account.
My plan is that a user could do anything like a user that is registered except for a few exceptions.
I implement a like function which saves the users behaviour on a webserver and later when the data is fetched again it recognized if the user liked something or not. My problem is that I have to save this informations also if the user isn´t registered to my application. A User should be free to decide wheter the user likes to sign up or not and isn´t forced to be a registered user.
I found three different way that could work!
1. Option
First option would be the accountmanager but I don´t like this option at all cause I have to ask for the contact permission and also ask which account a user want to use.
2. Option
A other option would be if a user starts the app for the very first time the app would call a server which creates a random unique code and send that code to my application to save it as key for the users actions which is saved on a server. But that also doesn´t seems to be a good solution for my problem.
3. Option
The last option would be oauth but for now I don´t know if and how it would be the solution to my problem!
I would be thankful for every answer!
I have worked on a comic app that requires saving the user subscribed channels, genre or comics and save the likes/dislikes for the same. User can be subscribed to push notification too.
For this, we used Firebase Authentication (anonymous signup). And to save the user subscription information, we used Firebase Firestore.
And followed the below approach.
As soon as the app opens, check if the user has already anonymous SignIn. If it hasn't, signUp silently.
Add a listener for user push notification token change. And update it to Firestore by anonymous user-id as key (We did same for storing other information too).
I think this approach would help to solve this problem.
You could use firebase auth for that!
Usually, you would use it with email & password or google login but it also has an anonymous login feature that should save the user's phone.
There are few techniques. It depends on whether you want to recognise a user between installations of app. If you are OK to lose a user on reinstallation you can use Firebase installation ID and link users behaviour with this id. If you want to remember users even between installations you can use unique to each combination of app-signing key, user, and device Secure.ANDROID_ID(more info about ids). But still the best way is implementing your own signing in or using of AccountManager.
I am working with Cloud Firestore and I came to the question on the top. I will set you an example
The user installs the app and log's in with Google. I save the log-in information in the device storage so the user does not have to log in every time. It is also stored in Firestore with a generated ID.
The user plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
How to avoid this? I want the app to remember the user account in some way. The user account would be stored in my Firestore.
According to the docs:
For Android and iOS, offline persistence is enabled by default.
Meaning that by default, Firestore creates a locate copy of the database on the client's device.
User installs app and log's in with Google.
So I assume you have already implemented Firebase authentication with Google.
It is also stored in Firestore with a generated ID.
Without seeing that "generated ID", it's hard to say if it's the correct ID or not. The idea behind this authentication is to sign-in your users with Firebase, no matter what the provider is. Furthermore, if you want to save user data in Firestore, store it into a document whose id is the user ID that comes from the authentication process. In this way, doesn't matter what the provider is, you'll always store the data under a document whose key will never change.
User plays with the app and one day uninstalls it. This erases the log-in information in the async storage, losing the generated ID that granted him access to the app.
It's true that if the user uninstalls the app, all the cache is wiped out from the storage, including the log-in information. That being said, bear in mind that you should never store such information on the disk. When using Firebase authentication, there is no log-in information that needs to be stored. If you didn't still implement it, I recommend you start with the docs.
One day he decides to install it again, let's say in another device to make it harder. He had various information in his profile or maybe an active payment plan he forgot to delete and he wants to do it now. He clicks on google log in since it was how he did it, but now the profile information is gone because another account was created with another generated ID.
This is only happening if you are using a type of ID other than the one explained above. If you had used the ID that comes from the authentication process, the second time the user tries to sing-in, even if using a different device, he'll be recognized as the same user with the same data. In this way, the user will be able to access the same document with the same data and recreate the local cache.
Im not sure in which framework you are working in to create the app, but firebase sdk has sign in along with create user with email & password. Needed data could be saved to user's document on Firestore.
I've been setting up in app billing the last couple of days and been trying to go the right way about it. The guides recommend using a secure back-end server to store the purchase token rather than storing the data locally. The documentation on verifying the purchases on a server is very thin and I'm not sure whether am going the right way about it.
I am using cloud fire store to store the purchase information mentioned in the title. I have a couple of questions:
Should I be reading my product id from a server rather than having it hard-coded in the apk?
How often should I/Do I need to read the device id in this case and search on the DB to make sure the user has a valid purchase? Just the once when making the purchase or intermittently?
If I am to do this, what happens when the buyer changes their phone? The device ID will be different and I wont have a record of their new device making a successful purchase. Or here do I query a skupurchase and it returns the item is already owned, write these new details to the DB?
and finally should I store a successful purchase flag in shared preferences or something so I am not constantly reading the DB and the user can use the device offline?
I was going to go down the route of getting users email using this answer here but there is a lot of comments saying this is very intrusive and I only need it for a simple thing. So I went the device ID route.
BTW I only have one product that unlocks full features and is non-consumable.
What is the correct way to go about this?
This was my approach to the same problems. It may not be relevant to your scenario. Hope it helps.
Should I be reading my product id from a server rather than having it
hard-coded in the apk?
You should store productIDs in the code as they will be used to provide features coded into the app.
How often should I/Do I need to read the device id?
You should not rely on the device id as you have raised the concern about the user changing the phone. You would want to implement the login system and make user login into the app before purchasing the product. This will make your subscription device independent.
The process should be:
User tries to use the locked feature.
App asks for login. Make user register and log in.
User clicks on the buy button again and completes the purchase.
Your server stores the user login information with the purchase information.
User changes the device.
User tries to use the locked feature.
App asks for login. User logs in.
The server returns purchase details with user info.
The app unlocks the feature.
How often should I check purchase details from the server?
You should check for purchase details intermittently.
Why? The user may ask for a refund after some time or the payment gateway would void the purchase for some reason.
IMO, there should be two types of sync methods silent and forced.
In my approach, silent sync would check for internet every 9 days. If the internet is not available, it would not do anything. While the forced sync would check for internet every 25 days from the last sync. If the internet is not available it would ask the user to turn it on otherwise, the user wouldn't be able to use the app.
I was using the subscription period of one month but as you have a non-consumable product you can afford 2-4 months forced sync period.
Should I store a successful purchase flag in shared preferences or
something so I am not constantly reading the DB and the user can use
the device offline?
The syncing process and the login would solve this problem.
I think you might be reluctant to implement a login system for such a small thing and think it would make fewer users buy your product. But by implementing Google authentication it would be fast and users would be less frustrated by it.
Implementing this approach involves a lot of server-side logic.
Im developing an android application for the first time (no prior experience whit coding....). Mainly the app is going to be used at work as a tool for service technicians. The app is almost ready for field testing, but there is one thing i need the app to do before that. I need the app to force the user to log in every time its opened. This is because some of the info on the app is confidential, and only people that currently works for the company is allowed to have this info. Whit firebase i can then block the users that leave the company, or users that are not verified. Currently the users sign in whit google and they stay signed in until they clear the app data or delete it.
I have looked far and wide for the answer to this, but i have only come across different use of timers.
If anyone has a better solution to this "safety" issue, im open to anything.
If you are using Google Sign-In for authentication, there is no out of the box support for forcing your user to authenticate with Google every time they use your app.
This makes sense, because the user is still authed with Google on your phone. A login system only authenticates the user; it doesn't inherently protect data stored on the device. As long as Google has a valid access token, the user won't have to type a username and password again (and simply clicking "login with Google" again doesn't really provide extra protection here).
If your primary concern is blocking access to users who have left the company, you should be covered if you are using Google Apps for your company. If you disable the user's account, their access tokens should become invalid. Google Apps admins can also manually revoke access to specific apps for specific users.
If you don't use Google Apps (e.g. your users are using #gmail.com accounts or accounts from a domain outside fo your control), you might want to consider implementing a list of users allowed to access the application, and verify the current user has access by checking that list via an API call on launch.
If the goal is really protecting the confidential information in the application, you might want to take an approach similar to Android Pay in which you require your user to set and enter a PIN number to access the application. As an added benefit, you can then use that PIN to encrypt any confidential data you are storing locally.
I will suggest you take a look into shared preferences and every time when the user is back into the app you send them to the login activity.
I need to write a application which has login functionality. It needs to have user name and password. Once a user logs in I need to switch to an activity that displays data from a REST API.
However I want to know the right way to implement this. I'm thinking that if I login and switch to the next activity, then the first login activity should no longer be reachable unless user logs out. Also I'm thinking that the data activity should not be exported and login might (?) be exported.
Can anyone suggest the right way to implement this ?
Your suggestion is one way to approach this, but it's a bit "brute force".
Is there a reason that users have to log in each time they use the app? Why don't you store the credentials, at least as an option (that is, provide a "Remember me" option?).
For example, the only way to use the Gmail app is to add your Google account credentials first. Once you've done that, you no longer have to provide your email and password when you look at mail. The Gmail app assumes that you've protected access to your phone.
Remember that, for a mobile device, entering text is tedious and error-prone. On the whole, it's best to do it once and store it securely.