I'm working on an android application that allows user to link multiple dropbox accounts (personal, business from one or more accounts).
I'm using Dropbox Core SDK for Android v 1.6.3.
From time to time I'm experiencing the problem when it's not possible to link the second dropbox account if I link the first one through "Use different account" -> chrome login and then try to immediately link the second one through the dropbox app directly (or through web browser again, probably). Dropbox SDK simply never returns auth tokens to my app.
I've made a small investigation on internals of the process and it appears that the problem is current version's of android dropbox application fault.
Basically, I can see that SDK internally generates a random nonce value used to authenticate callbacks from the dropbox app. And this value is somehow gets cached in the dropbox app: when I try to link the second account my app receives valid credentials from the dropbox app but the nonce is not correct - it's the one from the previous link process, so the SDK discards credentials.
I can also see that when I try to link the second account through the "Use different account" the dropbox app fires VIEW intent with wrong nonce value the URL. So seems like this is the dropbox app's fault rather than some system behavior.
The issue is reproducible for me on android 4.4 and 5.0.
Maybe someone from the dropbox team can advise me something? I'm ready to provide additional details if they are required.
Related
We received the message below from FB regarding our Android app. Our app was originally on the PlayStore but is currently not approved / published. We are still using the Play Store link in the field > 'Android: Google Package Name'. Seems Google may have made a change & this link is no longer valid.
While we work on restoring PlayStore approval, the Android app is available as a direct download. We don't know how long this process will take. My question is, does FB support Android APKs that are not listed on the PlayStore? Is there a way to use a different link in the field > 'Android: Google Package Name'? Our Android users have used FB login to create accounts so we really need to keep this feature active. If anyone has any input here that would be great. cheers
Message from FB:
In order to keep our Facebook platform and community safe, we periodically review apps for compliance. We need the following action from you on your app, (), in order to approve your app’s continued operation on our platform.
URL(s) listed on your app dashboard settings could not be accessed for platform compliance review. Kindly make sure that the following field(s) on your app dashboard are working correctly:
Android: Google Package Name
The corresponding URL(s) should return a successful HTTP status code. You can verify this using the Sharing Debugger.
Sharing Debugger: https://developers.facebook.com/tools/debug/sharing/
Compliant response codes: 200-299
Violating response codes: 100-199, 300-399, 400-499, 500-599
Please also allowlist the user agent strings or the IP addresses (more secure) used by the crawler. For detailed instructions, please visit: https://developers.facebook.com/docs/sharing/webmasters/crawler.
For Google Package Name(s) and iPhone Store ID(s), please make sure that these are publicly available.
Kindly apply the requested changes to prevent your app from being restricted on our platform. You can check your app dashboard to verify if the violating fields are now compliant, otherwise you will receive an automated alert as soon as we've detected that the fields are compliant.
Thank you for your cooperation in our continued efforts to keep our platform safe.
I am developing an app to download all the images from Dropbox. I am using Dropbox Core API and have followed this example: Android Dropbox Core API official documentation
I would like to check if there are an account already opened on the device. In this case I want to get this session, otherwise I will build a new session with the Dropbox Core API. Is it that possible?
Thanks!
As noted in the tutorial you linked to, when using the Android Dropbox Core API, you can and should store and re-use the resulting access token for a user after they first authorize the app. (This is typically done using SharedPreferences.)
On later runs of your app, your app should check wherever it stored the token to see if it has one. If it does, it can try to use that.
If you do have an access token, you can construct an AndroidAuthSession, e.g., using this constructor:
https://www.dropboxstatic.com/static/developers/dropbox-android-sdk-1.6.3-docs/com/dropbox/client2/android/AndroidAuthSession.html#AndroidAuthSession(com.dropbox.client2.session.AppKeyPair,%20java.lang.String)
I am writing an app where one user will write a file through this app and share it with other users using a link. Other users will read the file using same mobile app. I am using 'Drive API for Android' to use the offline writing and incremental updates feature so that readers will be able to download only that part of file which is newly added or updated instead of full file download every time.
But unfortunately the file/folder created by this app by one user is not accessible through the same app on other devices. I am using method Drive.DriveApi.fetchDriveId with the folder id and getting following error message.
"Drive item not found, or you are not authorized to access it."
File/folder is accessible on same device with same id, but not accessible on other device, which indicates that second part of error message is the real reason.
With the current scope (Drive.SCOPE_FILE), I was hoping that file will be accessible as it is created by the same app, but it is not working.
So my question is "does Google Drive store device information also while creating files/folders and doesn't allow the same app on different devices to use it?" If not, it must be my mistake in the implementation, which I can debug further.
I had a similar issue but not with an android app but a JavaScript app (should not matter IMO) and I wanted to access a shared file not a folder. However, I guess my workaround could help you as well.
The first approach is using the full auth scope (see https://developers.google.com/drive/web/scopes)
https://www.googleapis.com/auth/drive
But that is not really desired since you should request as few rights as possible from your users. My work-around was therefore as follows:
I used the Drive UI Integration
Goto https://console.developers.google.com/apis/api/drive/drive_sdk
select the "Drive UI Integration" tab
fill out the form, I have used the following:
"Application Name"
The mandatory "Application icons"
activated "Automatically show OAuth 2.0 consent screen when users open my application from Google Drive" and entered my "CLIENT ID"
used a dummy url for "Open Url" (e.g., http://example.com)
provided a default file extension (this way your app will be suggested afterwards when the user opens a file)
save your changes
Add the following scope to your app
https://www.googleapis.com/auth/drive.install
The users will install your app when approving the requested rights
Request your users to open the shared files with your "dummy" app in the google drive folder, which will grant your app access to the file (as stated here: https://developers.google.com/drive/web/scopes -- https://www.googleapis.com/auth/drive.file = Per-file access to files created or opened by the app) -- notice that the user will see an error message when opening your dummy app. You should probably implement an open url with something saying "thank's for granting access to the file xYZ".
your app is now able to access the shared file.
I know, it is not very user-friendly but it works (at least now, might be that this is not intentional)
If you know a way to automatically open a file with an app by invoking some URL, then please let me know. (yet, that would kind of be a security issue in the Google API, so I guess it is not possible).
Since it is somewhat cumbersome, I will propose the following two options to the user (so she/he can decide on her/his own):
Give the app full access and don't be concerned about this issue at the cost of privacy (I am certainly not evil and would not do anything with the files, but might be that someone can hack my app and get access to the accounts and then... well, then the user would have wished to give my app less rights.)
Give only install rights in addition but with the pain to open every single file which the app needs access to. In my case this is relatively rare so it should not really bother the user.
I hope that helps.
Assuming this as a limitation of Drive API for Android, I am switching to Drive REST API. I found the functionality I was looking for in the Drive REST API i.e. incremental updates to the file and resumable downloads. Just that I need to manage some of the things on my own.
In that way, Drive REST API is complete and it can provide all the functionalities whereas Drive API for Android is constrained with lot of limitations. With no answers to my questions, I am assuming that it is not possible to share files with other users through Google Drive using Drive API for Android.
You can add full permissive drive scope -
https://www.googleapis.com/auth/drive
request scope using -
.requestScopes(new Scope("https://www.googleapis.com/auth/drive"))
instead of
.resuestScopes(Drive.SCOPE_FILE)
I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.
I am working on an application where I need to use DropBox ,I am using DropBox 1st time ,Using android DropBox API I authenticate successfully , But when I try to change already authenticated user its saying an error as > Invalid User
"Only a limited set of users can receive access tokens while this app is in development mode".
Anyone can guide what's the reason of this error message ?
This message is indicating that your app is in development mode, meaning you can only link the account that registered it:
Dropbox - Core concepts
If you're not ready to apply for production, but need to test with additional users, see here:
Test your apps with up to five users