I am making a webapp which will coordinate with an iOS and Android application. There will be a two types of accounts. One will be primarily on the website and the other will be primarily on the Android or iOS app. This question may be too broad, but I'm looking for an authentication pattern which will work for this setup and make sure that the right web account is pairing with the right mobile account. Here's what I've got so far and am hoping you can provide some feedback...
When a mobile app is installed, it will reach out to the server with information such as name and phone number to which a UUID will be returned.
If the web account wants to link with a mobile account, the web account must enter the phone number of the mobile app they want to link to. The server then sends a message to the mobile device so that user can confirm the pairing.
Are there drawbacks to basing the account id on a phone number? Is there a better way to do such two factor authentication? Sorry if this is too vague or undirected and thanks for any help!
Phone number is a bad UUID because there is no way to get the phone number. Other than asking the user. Not reliably. Also, some devices allow dual sims (home and work) and thus would have multiple phone numbers.
A better way is to use the android device id. But even that isn't that great- I could write an app that calls your service with whatever id I want. There's a reason RSA keys use a cryptographic token that changes every minute- it requires you not only to know the id, but to know what the id is now. Otherwise you'd just need to have found out the secret id once and you're in for life.
Related
Currently I'm working on the MQTT based Chat application where I need to assign
Unique Topics to Users dynamically.
So, I thought of using their IMEI/MobileNumber. But in iOS, we cannot get the IMEI Number so we thought of generating a random IMEI from the backend and assign it to the Users.
Now, My problem is whenever user changes his mobile, the IMEI Number changes and it will be fresh profile again to that user.
If I use based on his Mobile Number, there is a chance when the user doesn't use the sim for 3 months. The connection automatically terminates from the network provider and the same number will be assigned to another new customer(atleast here in india).
Can anyone suggest me a good approach for the Topic Generation?
BTW, I need a Web Chat also and that need to be fetched from database. that is the only reason, I'm focusing on the Topic Generation. So, I will fetch messages based on his topic and show them in the Web Chat.
Do anyone know, how whatsapp maintained their topics?
I thought of using their IMEI/MobileNumber.
Bad design. Have the user create an account (i.e. email) with a password for your service that way no matter what phone or phone number they have, they can still log in and use your app. And make sure you ENCRYPT the user credentials in your database. Start FIRST by building an app with proper security or else you will be hacked 5 minutes after you launch it.
Do anyone know, how whatsapp maintained their topics?
Just because Zuckerberg copies everyone else, doesn't mean you need to copy them. Also, I believe whatsapp created there own version of a MQTT Broker. Hence, it will have an entirely different set of functionality from a regular MQTT Broker.
I am new to android development so I need a little help.
In my app users can vote for posts but I don't want to make them register because app is very simple and that would be overkill. I want some another way to restrict users so they vote just once. If the method is not very accurate I don't care. In web development it's usually done using IP, is it the same for mobile apps?
Appreciate your help very much.
Every mobile device has a unique id which is called device id. you can use device id to restrict users or another option is to get the device MAC address of the device. MAC address is also unique so you can easily use it restrict users.
You can use an IP but for mobile users that won't work very well because their IP's are always changing. An easy way to do it would be to generate a guid in the app, and save it somewhere permanent (like the app settings). Then whenever you need to id the user just submit that guid to your webservice or whatever you are using. This is an anonymous id that you can then check against etc..
I am trying to put together a registration process in which one of the pieces of information is the cell phone number. I know through iOS SDK I can get the phone number, but Apple will reject the application.
If I have the user enter the phone number, how can I be sure that user isn't entering some "fake/spoofed" phone number. I want to make sure the number entered belongs to that specific device and be able to pass that phone number to a REST service handling the registration of that device.
I realize open access to the phone number is a privacy issue, but there has to be some way to get the cell number with the users approval AND validate that number came from that device.
I will be targeting iOS 6.x + Not sure which versions of Android yet.
As always, any thoughts or ideas are welcome.
You can send a validation code to the mobile via SMS, so you can prevent spam and fraud. For this you need a SMS gateway provider.
Check Text Anywhere, they provide an API for Java, .Net, and etc. (i couldnt link the url...)
Or Twilio.
Hello I am developing an application that will exchange unique groups and messages belonging to them between peers within a local network without any servers. Each of the peers should be able to create a new message and associate it with an existing or new group. Since messages and groups should be unique I have implemented a hash algorithm creating the ID of those messages from static values like, content, date of creation, author, title (messages are not editable). The ID I am using is helping me check the integrity and possible duplicate when the message/group is sent to another device. But since there is no server to store accounts and check for credibility of each of the peers I cant think of a way to implement a mechanism that will check whether a given message is genuine from a specific author. At the moment anyone can publish messages adding a false author name, which is something I want to resolve. How can I do that?
PS. My application might be similiar to how Twitter works but it has no accounts and no main servers to store them. It is developed on android and it cannot use the internet simply because it is using wifi to connect to LAN only routers and I wouldn't want the users to have to use 3G/edge.
Possible solutions:
Use the phone's special ID (IMEI) , but also how do I get that programatically and is it really unique?
Use MAC Address of the phone (actually hashed concatanation of Bluetooth and WiFi MAC Address), is that unique per phone?
The problem with this and the above is that the genuine author might change his phone over time.
If the genuine author has logged on with his Google Account previously is it stored in the phone's memory and can I programatically get this information in offline mode?
The use of Digital Certificates to sign messages could also be a solution. Although its use may raise some more questions like "Who's the issuer?". Well, it could be an "entity" created by you if the authenticity of the messages are only important inside your own application.
Just something to consider if you haven't already.
I don't think you can do anything about a false name, but in most cases fake names are okay - what you want to protect against is one user posing as another. Digital signatures would be the way to go - ensure that everyone has a randomly-generated secret they can use to sign all their communications.
For mobile-based comms, you could go one step further and get people to certify they know another person, using short-range communications. For example your app could do a Bluetooth exchange with another phone, and that would modify each profile to say "trusted person X certifies they have met untrusted person Y". Since it would require the consent of both parties, if one party is trusted, the other one likely can be too. The short-range comms would ensure that the parties have met (and perhaps are certifying that a person is like their profile picture).
You could also do a similar thing to Gravatar - use a hash of the name and the secret to choose from a wide range of avatars (or, generate a random image using a very long hash). This way, two people posting under the same handle will have very different avatars, and they can easily be told apart by the user community.
Following is the scenario:
I have an web application accessible via mobile browser.
I need to detect a mobile device IMEI and sim IMSI whenever an user clicks on link in my app page accessible via web browser. This is to track the same device with same SIM and provide him/her next level of access. User cannot be tracked using loginid as there is no user login kind of option in my page.
The question is how to get unique device id/sim id via mobile browser for a specific mobile device.
For now I am focusing on android based mobile devices. But the target is to make it generic to devices.
Focus of most of the ideas is, what is the kind of access a browser has over the phone and its app?
From a browser link we can open a local app in the following way:
Get Details
here productcateory will uniquely identify a local app and invoke it. But its one way communication. How to get back some response from the point of invocation and populate some hidden form field dynamically.
Via webpage scripts we can store some data locally at client machine and retrieve it later. but the scope is limited and it is no way connected to IMEI or IMSI number.
Is there a way to get a hook to mobile browser app(remember it's like any other mobile application) from the webpage and get the id details via scripts in my page?
Is there any option that html5 provides in this regard? I know there is a localstorage tag in HTML5 and one can store an id in the client location and retrieve it later. But this is limited to the same device and same mobile browser and also this is a different solution to get the imei/imsi number
Let me know if there is any other option without asking user to installing a local app or browser plugin on the device?
~inkriti
For very good reasons it is impossible for the web browser to access the IMEI or IMSI numbers of a mobile phone, without some dastardly hacking that the dev teams hadn't expected.
Also the android browser doesn't support plugins.
Your only option is to create a native app. This answer has some info that will be useful to you: Programmatically obtain the phone number of the Android phone. Its not a perfect solution however.
I would also ask why you want access to the users phone number? If its just to track session just use javascript to generate a unique id and store it in a cookie.
The original issue is probably closed, however for future reference of anyone (like myself) that comes across this question would be something like 2-factor registration with confirmation via text. The closest to getting an IMEI (impossible without native apps) would be to get the user to register and include a text confirmation - the mobile phone number in most cases will be unique, only non-unique when changing devices, and some assumptions can be made from the client-side to guess what device they have, you could even go a step further and ask them to identify the make/os of their device if you were that concerned about unique-ness. However in most use-cases a mobile number confirmation will do the job
The only reliable way is to write an app and have it send a SMS and then track the number on that end; assuming the subscriber has SMS/text service enabled. This won't work on non-phones (tablets).
It is not important, nor is it necessary and it is probably illegal to track the device (IMEI); simply track the subscriber.