I want to use Microsoft Azure Storage Android API to upload images made by phone camera.
Here's like to it:
https://github.com/azure/azure-storage-android
Here's my question: Account name and key are stored in string inside app, so anyone could decompile it, get these credentials and then, for example, upload lots of data which would cost me money.
So is it safe to use this on android app?
What are my other options?
You should not store the keys in your application. You're right that somebody could decompile your app and get the keys. Furthermore, if you ever have to change your account key for whatever reasons your users would need to download your application again.
What you should do is make use of Shared Access Signature (SAS) when somebody needs to upload the images. You could use Azure Mobile Service or write your own web service to get SAS (with write permission) on demand and use that in your application to upload images in your storage account.
You are right. If you are shipping the credentials to your Azure storage account in your app, then well, anyone has the credentials and can do anything with it.
Typically you would create an intermediate web service (e.g. hosted on Azure websites) which accesses Azure storage and limit the amount of data each user may upload. The app communicates only with your web service and hence does not need to know about the credentials to the storage account.
Obviously you will need some kind of user management built into your web service, e.g. custom accounts, Google login (most Android users will have a Google account), OpenID, OAuth, ...
Related
Im currently building an app, back-end and front-end and I use Firebase for saving pictures that the users can upload and download, up till now I've been uploading them from the front-end and if the upload is successful then I send the image link with the rest of the data to the back-end, but as Im saving firebase credentials (in order to connect) in the app, now Im questioning if it would be better/safer doing it all in the back-end, sending all the information (image included) and the let back-end upload the image to firebase. I don't how how secured are those credentials being of the app
I usually handle things in the front-end if the Firebase SDK has what I need. The only common reasons not to do this, is when there is a requirement to do them in the back-end. This is only common for operations that: require a lot of memory/CPU/bandwidth, require access to secret information (e.g. an API key for a payment gateway), or where the code itself is secret (e.g. detecting cheats in a game, or malicious messages in a chat app).
In your case for example, uploading directly from the front-end to Cloud Storage is a great reason to use the Firebase SDK. Doing so means that Firebase takes care of the encoding, of retrying, of security, and many other things. If you'd want to introduce your own server in the middle, you'll have to write the (client and server) code to handle all of that yourself.
Note that the keys that Firebase tells you to add to your app through the google-services.json are not credentials, but merely configuration data that the app needs to find your Firebase project on the servers. For more on this, see my answer here: Is it safe to expose Firebase apiKey to the public?
But that said, with the configuration data anybody can call Firebase API methods on your project. So you need to secure access in some way, to prevent other users from coming up with their own code that uses your project.
The common way to do this is by using Firebase Authentication on the client to sign the users of your app in. You'd then use the Firebase security rules to limit who can read/write what files in Cloud Storage.
I am writing an Android application in which users will have personal data (and only personal data). I would like to have some way for them to store it in the cloud without me paying, for example, so that their data is stored in their Google Drive (though not necessarily accessible through Google Drive UI). Is there an easy solution for this?
I had a look at Firebase, but it seems that it has 'common' data storage, which would be associated with a developer's (that is mine) account.
You can use FireBase. It's a great platform to host your app content
https://firebase.google.com/
you could create a database to store the data, but you'll require to keep a server running 24/7 if you don't want to pay for it. Also I don't see the drawback of associating the user data with your account as long as you don't rat out yourself.
I have a app data storage question.
I want to store users game scores centrally where I can access and evaluate later on. So, this is just one way communication with minimal interactivity. App can user send and forget method.
According to this
Storing simple data in android app
I have to use network connection option.
My questions are
1) How do I enable secure communication between the app and this storage (to avoid some one sending fake requests)
2) What are the best storage or DB services (File in Google drive)
You can use Google Cloud Storage Client library to upload the file into Google Cloud Storage. By that it will support resumable upload automatically in case the file size is large. Otherwise you can also use Drive API Client library to upload the file into drive from your App. I think you want to upload user specific score into the storage or drive. In that case, you need to use OAuth2 to authenticate your application on behalf of user to store the data. By that you can prevent fake request because you are only allowing specific users who are playing the games.
I am developing an app for Android. I need a datastore so user can upload and download images via the app. It's possible to let every user upload images via Dropbox-android-api on my dropbox storage/account? So what I want is to let user upload images on my Dropbox account without having a dropbox account of them self. Is that possible? The example apps of the dropbox-android-api uses user-registration to upload files. So they need to have a DropBox-Account. I only want to use it as a datastore.
If this is not possible, what is the best way to store images in the cloud and which are the best provider for that with less costs.
Thank you very much.
The Dropbox API is intended to be used by apps to the extent that each user interacts with their own account, but it would be technically possible to interact with one predefined account. The basic idea would be to embed an access token authorized for your account in the app, and the always re-use that. This isn't recommended though, and is generally not a good idea, due to some technical and security issues. (For example, anyone could extract the access token and do whatever they want to the contents of the account.)
I have an android application and it has a trial version. I want to store users' imei numbers and installation dates on serverside and than check everytime when user uses this app to know if trial version is expired. Since i am not experienced on server side programming i was hoping this kind of cloud service would solve my problem. Before i jump into it i would like to be sure if simpleDB is suitable service for me and if not could you suggest another solution ?
The primary issue is securely storing the access credentials. To access the SimpleDB service without an intermediate server, you'll need to store the access credentials in your Android app. These are accessible with very little skill (text editor?) and could potentially allow unauthorised access to you Amazon Web Services account.
For a while there have been some options for creating extra credentials with varying access levels (eg. read-only) but I've yet to explore this myself.
UPDATE
Amazon have updated their Android libraries with improved credential management. This answer for anonymous, read-only access describes in more detail how to use AWS Identity & Access Management.