I want my web server to accept requests that originate only from my mobile app.
Since mobile apps are client apps that means that users can have the binary and decompile it or use a tool like Fiddler to interpret the API calls and reconstruct them (ex: in a console app).
So what I want is a way of generating a key that is bound to my app and the user's device.
The app is deployed in Windows Phone7, iPhone and Android. A cross platform solution would be ideal but something that works only in one platform is also more than acceptable.
Thanks!
Considering that you are deploying an application to a client, the actual answer here is 'not possible'. You can make it difficult for someone to fake an 'official id', but because you do not have control over the system that is making the requests, it could be your application or anything else pretending to be your application.
Related
I am developing an Android app that uses Google Cloud Endpoints on Google App Engine (in Python) for its backend. The Android app authorizes the user using Google Play Services on the Android device, and it all works fantastically.
However, now that I have actual users, I'd like to be able to test this all locally before deploying any app engine API changes to production, and I haven't figured out how to have the Android app talk to my local development server anywhere. The testing recommendations suggest that I just do some manual tinkering with API Explorer, but as I'm using the Endpoints Proto Datastore for my API, which makes the Android development easy, it also makes the API Explorer basically useless, since the calls I need to make are far more complicated than what I can generate by hand.
One answer to this question suggests that there is a way to point the Android client at the local server, but while I can use the --host argument to have the dev_appserver's default server listen on something other than localhost, I can't seem to find a way to do the same for the API server. And even if I could do that, it might only be the first step to a full end-to-end local testing setup for my Android app.
Can someone post more details on how I might do this, or short of that, please enlighten me on the best practices for testing Android apps that use Google Cloud Endpoints on App Engine? Thanks in advance for any answers.
Alright, finally got it working, thanks for the tips, Dan! Here are the remaining details that would have saved me a few hours - hopefully this is helpful to someone else.
1) As I expected and mentioned earlier, dev_appserver.py needs to be run with --host=0.0.0.0 so that it can listen on the local network.
2) In order to properly parse the ID token to make the user authentication work, you need to have the PyCrypto library installed - it is not installed by default, so just having it in your app.yaml isn't enough. I found the binaries for Windows here.
3) Then, in my generated Tictactoe.java-equivalent class, I had to change the DEFAULT_ROOT_URL to be http://<my-local-machine>:8080/_ah/api/ (which is where my local machine is running), so that requests went to the local network. Alternatively (and perhaps less invasively), you can use builder.setRootUrl to the same address from wherever you initialize your builder. This way you don't muck with your generated classes.
4) I also had to make the change Dan mentioned described here.
After doing those four things, everything seems to be working now and I can test my app locally - hooray!
In the local environment, the dev_appserver is the API server. If you've configured it so that it's accessible from machines other than localhost (i.e. another machine/device on the network) API requests should be accessible as well.
However, there's currently an issue with the local server and gzipped requests. Until that's fixed you'll need to disable gzipping within the client library in your Android app (see this post).
I worked on MDM in Android, and used the API's to lock, wipe etc when I receive a C2DM push message from the server.
When I was trying to explore more on the iOS part of it, I was a bit confused. I got a feeling that, we don't need to code a agent for the MDM to work on iPhone.
So is it completely managed from the server? Or do I have to have an agent application too?
If yes, can you help me with a sample of the agent programming?
Thanks.
For complete MDM control of the iPhone, you either need to look at profile management as sent out from Mac OS X Lion Server (they added this into this OS version) or a third-party solution (MobileIron, Tarmac, etc). There is some good background, slightly dated information here too: How to configure/install MDM server for iPhone and iPad
EDIT
There is no need of a separate agent application - it's handled by iOS itself.
If you not using Lion Server,you can implement your own MDM sever and for that you need iOS Enterprise developer account.
To implement MDM Server follow these as below.
This pdf
https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf is very much helpful.
server url should start with "https" only and that url should exit and these details you have to provide while generating mobileconfig profile using IPCU.
This page also you can to refer:http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few thingsas remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now this PlainCert.pem file can be used in your server as APNS/MDM certificate.
Answer-
Guys yes. I'm sure most of you have had this question. With experience after developing MDM on iOS too, we don't need a client to be coded separately in iOS. iOS takes care of it completely.
So you may need the client only for the purpose of pointing out a link to the server having the configuration profile (so you can actually keep a record of who and how many installed the application using a key or an ID in the URL), and if you have to manage things which aren't provided by MDM, like location updates, etc.
We have mobile applications on iPhone and Android (and soon to be released Blackberry). The app functionality is the same - we just support several different devices. The app communicates with a back-end web service to receive data.
Now, in the web application, is there any way to easily determine what type of device is connecting to it? Here's what I have available:
serial number (or unique ID) of the device (note that in android simulator it's always 000000000000 and in iphone simulator the format is totally different from actual iphone)
in iphone app, connections are made using NSMutableUrlRequest / NSURLConnection, in Android connections are made using org.apache.http.client.HttpClient
The server web app is written in PHP.
I am willing to settle for a "best-guess" approximation: if I'm right 95% of the time, it's good enough for my purpose.
I'm not sure about any of the blackberry stuff, because that app is still not ready.
Any ideas/help are greatly appreciated. Many thanks.
You could look at the user agent that is hitting the HTTP API and sniff that. That'll work at least 95% of the time. iOS apps will have something like CFNetwork/xxx.xx.x in them. For Android / Blackberry just try it out and see what they are. Alternatively change your app to set the user agent yourself so you will know exactly what version of your app, etc is hitting the API.
Been researching it for a couple of days, and it seems quite impossible (though highly desired).
I'm Looking for a way to anonymously identify users on our website as they later on run our mobile apps (both iphone and android, actually). At the very basic level, I'd simply generate a UID when someone visits our site, plant a cookie on their device, and then retrieve it later when our app is run. This simple implementation seems to be impossible, because the apps don't get access to the same cookie-base as the browsers (which makes sense, privacy-wise).
Also thought about using HTML5 for this purpose, which doesn't seem to provide any solution.
I Tried going the other way around and using the device id as identifier. However, seems like device id won't be available to the web server when someone visits our site.
There seems to be a perfect disconnect between data accessible from the browser, and accessible from the device itself in native apps.
Has anyone ever found a solution for this scenario?
As of my experience what you seek is almost impossible to achieve for a third party developer.
As you mention, the web browser - by default - doesn't have file-system access from the javascript context (which is where your web app will most likely run) and the cookies infrastructure isn't exposed to the application context.
What you could do is to write a plugin to the browser which might enable this one way or another. But then there is the technicality that the browsers on mobile devices usually don't support plugins and even if they did; you can't force your web app users to install the plugin :-(
Yet another, and if possible even more unlikely solution would be to try to influence the device browser project (WebKit or whatever project you wish to target) community to implement the functionality for you (good luck) :-)
A third solution and perhaps even the ethically more correct one would be to allow the user to identify him/her self optionally when using your device client application. Your client iPhone/Android application would then have a "Identify me as a client user"-button. This would of course require you to allow the user to choose a key (an e-mail address?) of his/her own when entering the web app. You'd likely need to store the key on the web server opposed to the client browser cookies.
Hope this gives you some further ideas.
Cheers
Here are some things I think would work (untested):
You can check if the user has a google account login in the browser and on the phone.
Another way would be to have them log in in both apps
Register a special url-handler which opens your android-app with an user-identifier which gets called by the webapp (see this question)
Edit: I over-read the IPhone part - #1 and #3 those answers are Android only (I think).
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?