I have a client/server application where the clients are Android apps and the server is deployed on Amazon AWS. They communicate through REST over HTTPS to keep communication private. The server sits at https ://server.example.com and uses an SSL certificate that I created and signed myself. The client was written to check for this cert and to only communicate with a server using it.
Things generally work very well and we have thousands of users all over the world. However, sometimes I find that the client is unable to talk to the server. I can find this out because I've included a mobile analytics library that logs things like this and reports them.
When communication fails it's either because of a timeout at the client, or an error such as "Unable to resolve host server.example.com".
I believe that communication is failing because of one of the following:
The Android device is not connected to the internet
A firewall or something similar is blocking the communication
Why could we be blocked? Perhaps because we're using SSL. Perhaps we're not on someone's White List. I highly doubt we're on any Black List.
Any ideas on how to proceed? Can I somehow determine why communication cannot get through (I obviously don't have access to my user's devices). Is there something I can do to have more of the clint/server communication be successful?
Why not implement a network status checker to log network. Both timeout and unable to resolve host seem to be most probably come from losing connection.
Related
I am setting up a WPA2 Enterprise-secured Wifi for my company. I set up a RADIUS server (FreeRadius) which talks to our Azure AD for authenticating our users. Because of the nature of the connection (RADIUS<-> AzureAD), EAP-TTLS is the only protocol that can be used.
Since EAP-TTLS does server validation via server certificate, but the client-side does not have to be validated via client certs, that makes it easy to deploy to employees connecting to our WiFi since I don't have to deploy client certs to all the client devices.
Problem is I don't understand the exact process of connecting the clients.
Example #1: When connecting an iOS device to the WiFi, I get the dummy CA and server certificates shown on my screen that were generated on my RADIUS server. I can choose to either trust them or not. This way server validation is done, which makes the connection secure and makes complete sense to me.
Example #2: When connecting an Android device, I don't get this prompt with the CA and server certificates. What I get is an option to either:
Select a CA cert -> This means I have to deploy the RADIUS-generated CA cert to EVERY client device. This does not make sense to me because in the end it's like I am deploying client certificates to devices which complicates the setup a lot and negates the main advantage of EAP-TTLS.
Don't validate -> This means that the device just connect to the network without validating the server at all. This way, I can connect to the WiFi too but that is not acceptable since the client does not verify the server at all which makes the network not secure.
Use system certificates -> Selecting this prompts the user to enter a domain. I suppose this option uses the already pre-installed CAs Android has by default, but I am not sure what to make of it. What domain is the device asking for? I can't connect this way if I enter my company's domain, the RADIUS server says that the client has an unknown CA cert. Makes sense since the device is not using it's generated CA cert.
All in all, I understand the way iOS does the connection and in my mind that is how EAP-TTLS is supposed to work, with server validation and all. Android makes things very confusing, since it is making me install the CA on the device manually instead of just getting it via the started connection (like iOS does).
Can someone point what I am missing here? Am I wrong in some assumptions or is this just an Android technicality that is supposed to work this way? What would be the easiest setup solution in this case?
Thanks in advance!
We have built an Android app which uses Firebase for user authentication. Our (large enterprise) client is planning to deploy it behind their firewall. During initial testing, the authentication stage fails whenever we are using their network. It does work on an open network.
I am trying to find out what firewall configuration is needed to use the firebase authentication API, but I cannot find anything in the docs. I know that the firewall allows port 80 and 443 for outgoing connections. I am assuming that no specific IPs are blacklisted. Ports 5228-5230 (which would be required for FCM) are not opened yet, as we are currently not using push notifications. I am wondering if this is the issue. However, all references I can find (usually inofficial ones on stackoverflow) insist that the firebase authentification happens via https and only 443 should be needed.
Is anyone able to verify this and perhaps provide the documentation which details this?
My android app sends a GET request with some access parameters to a server. The server responds with a json file. Is there a way for me to get that json file in that moment when it delivered?
This question was asked because someone can sniff the network traffic of my app and I want to eliminate that.
No, you cannot sniff through other apps' network calls otherwise it is considered as a security breach in OS which is nearly impossible with normal access
As stated in #Pavneet_Singh's answer, applications can't read traffic generated by other applications, unless it's a VPN application, which can read all traffic passing through. The user needs to explicitly accept this. There are examples of network analyzer apps which function like this.
This question was asked because my app someone sniffs, and I don't know, is there a way to eliminate that.
It sounds like you're worried somone is analyzing the network traffic of your app. Anyone can use a proxy server to analyze the network traffic passing through it, for example using WireShark or Fiddler. If you do not want this, you can use HTTPS to encrypt your network traffic, and certificate pinning to only make requests when the server has been verified. HTTPS without certificate pinning isn't enough to prevent others from reading traffic sent by your application.
I have a nodejs v0.10 server with socket.io (v0.9.16) running on Openshift, for the past 2 months it has no problem receiving data from my Android apps connecting to the server using AndroidAsync (https://github.com/koush/AndroidAsync). Suddenly after Openshift upgrade its service on 25th Feb the Android app fail to connect to the server. Every time the app tries to connect the server, the server will output an error, I run Socket.IO in debug mode and this appear (debug: destroying non-socket.io upgrade).
Funny thing is, the same server also host my web client running the same socket.io library, and it has no problem whatsoever with the web client. Can someone please point me to the right direction? I am connecting to the server with http://www.xxxxxx.com:8000/ where 8000 is the websocket port given by Openshift.
I read that "destroying non-socket.io upgrade" might due to invalid/incompatible socket.io js file, I tried to do a manual check on the socket.io file by typing this in my browser
http://www.xxxxxx.com:8000/socket.io/1/
I got this return code:
An-vI1BJofr45j9c_GmH:60:60:websocket,htmlfile,xhr-polling,jsonp-polling
PS: My Android code hasn't been changed, and so is my server code.
PPS: I have successfully connect in localhost environment and my own server. So the problem is most probably originated from Openshift, not sure what have been updated to break it.
All of a sudden it works again without any code changes. I would however recommended anyone using my approach of connecting to backend server to have a http push backup just incase any future server updates breaks it again.
Would appreciate if anyone from Openshift can help clarify this to prevent sudden death on running production apps. Thanks.
Make sure to check OpenShift Online's system status page to see if your apps have been impacted by a system outage. (fyi: we run on top of AWS)
I would definitely consider using one of OpenShift Online's paid hosting plans for production quality applications. Apps that are created using paid plans go onto a separate array of machines (more resources), and are configured to be more highly-available (no sleeping due to inactivity).
Hope this helps answer your question. Please close if so.
I am building a mobile device that needs to send realtime information to other devices. I have considered XMPP but I do not have a server, so the communication must be only between the devices.
Is there a way to communicate using XMPP between mobile devices without a server (Or using the mobile devices as servers)?
Is Sockets a good idea ? i.e. Having a ServerSocket and client Socket and communicating this way.
Is there a smarter way? I have heard of jWebSocket but I dont really know how it works or if it's worth it.
EDIT
The process is as follows:
I'm using Parse as a server/backend http://parse.com
When the user runs the app, a user list is retrieved from the parse server
The user then has (Could have) the ip of other clients and then attempt to communicate with them.
Problems
1. Parse does not support a XMPP server or other type of servers
You might look at using an IRC client library like http://jerklib.wikia.com/wiki/JerkLib_Wiki. This way you can use a public IRC server to communicate with your other devices...
I've not used it, but I did bookmark it for further reading because I thought it a novel concept ...
I hope it helps...