Hi I am new in Android and I want know is it possible that you save your dropbox user id and password in constants.Because I don't want the application to ask the user everytime for his password and I need only one account.Is this possible.If yes,then how?
Firstly, The Dropbox API requires the developers to connect to its servers via a sequence of http connections rather than a single connection for security reasons.This way/method of security is known as OAuth.You must have heard the term earlier too.
Secondly, It does not give you any chance to save username and password in your code for security reasons.Rather,the user is prompted to enter his credentials on an authorization page which is remote to the application (i.e hosted # dropbox.com).So it is they who handle the authentication/authorization.What you get as pointers an access token as a return if the user has been successfully logged in (at the page hosted # dropbox.com).
When you have this access token,you do not need the user to provide user name and password again.Instead you just send this access token to the server to confirm to the server that this particular user is already authorized.
Read this page to know the process in detail after marking this as your answer. :smile:
Sorry, I think you can't.
Please see Android Dropbox Sync Api Example with Login ID and Password from Code and How to login into dropbox from my app.
Related
I am currently working on implementing a mobile app for our site that uses Ruby on Rails and Devise. The idea here is, at first, create a mobile login form that on successful login opens a web frame that is authenticated and allows the normal use of the (mobile optimised) site. Theoretically that should be possible.
I am having trouble with the following issues:
How do you get the pure session key for the user session via a json request? What methods can be used to manually generate it from devise, something that the sign_in(:user, user) method does?
Is it even possible to take that key and put it into the browser cookie the way it normally happens in devise, but on the mobile side?
I know that this is not the standard method of making mobile applications for the site, but I believe it should be possible.
You might want to consider using Devise Token Auth and treating your mobile application like just another webapp that requests permission from your main site. DTA is particularly nice since it takes care of managing the session tokens (renewing/expiring) and passing them onto the app requiring access. The issue is overriding your session controllers so that it automatically logs in after you already log in on the mobile app (or just rewriting your log in so it occurs in conjunction with the Rails site, rather than before). Considering you're already using Devise, this may also be more refactoring than you'd like.
If you want to put your authentication form on the mobile UI and pass the credentials over to the web frame, you need a way to pass data from the mobile app to the web frame.
How you accomplish this depends on what platform you're building on. I'm not really a mobile developer so I don't know for certain how difficult / easy these options are:
When opening the web frame, instantiate it with session data
Find a way to call methods on the client from the web frame. Something like getSessionData.
You could generate a fingerprint for the web frame, have the mobile UI send this data to the server, and then have the web frame authenticate with the server by sending the fingerprint.
Again, I'm not entirely sure how possible all these options are.
You should use token authorization and Android deep linking. It will allow you to login in the web browser and send a token to your app via deep linking.
OK, so I decided to make a webframe solution as follows, basically you post the login and password to a certain sign_in method specially designed to generate one-time sign in tokens for the application. You need two methods in the system to do that:
routes.rb
devise_scope :user do
get "sign_in_with_token/:token" => "sessions#sign_in_with_token"
post "get_login_token" => "sessions#get_login_token"
end
sessions_controller.rb (don't forget to add the method that increases the failed_sign_in_count on wrong password, otherwise that can allow brute force attacks)
def get_login_token
user = User.find_by_email(sign_in_params["login"])
password = sign_in_params["password"]
if user and user.valid_password?(password)
token = SecureRandom.hex(16)
user.update_attribute(:authentication_token, token)
render json: {token: token}, status: 200
else
render json: {error: "error"}, status: 403
end
end
and the method to sign in with that token
def sign_in_with_token
#user = User.where(authentication_token: params[:token], email: Base64.decode64(params[:email])).first
if #user
#user.update_attribute(:authentication_token, nil)
sign_in(#user, bypass: true)
end
redirect_to '/' # or user_root_url
end
That way the mobile app will work like this:
use the generic web frame to send ajax requests to the server and get that token for the user email if password is correct.
make a /sign_in_with_token/#{token from ajax}?email=#{base46 encoded email} link inside the app.
open that link inside the web frame and use the app as though you were logged in normally. Now the app can save email and password locally and use that logic to get the token again for another session. Later logging in will also be able to set the app id so that push notifications can be sent.
Appreciate any feedback or criticism on this solution.
I'm developing an application (as a part of team) for android that interacts with server (asp.net web service) for synchronize and update information in client side.
for preventing attack to server we use SSL connection and also authenticate users with soap header message contains username and password.
here is the scenario for synchronization:
users send web service request with header contains : username , password , time of request , and(for preventing man on the middle attack) hash code of all three parameters(username+password+time) as message signature
web service check that :
is this a new message by checking the signature of message stored in server
if this is a new message (and its not duplicated) then check that signature is true by hashing all three parameters(username+password+time)
then check expiration time : is the message new ( in 5 minute ) for expiring old messages
Authenticate username and password
validate datatype and length of parameters ( in this case only time of device's last sync )
response to request
device get the response as xml file
the question :
because of this scenario we have to give user's devices authentication information so they could interact with server in future and also we don't want to get any information like username and password from users ( for user experience purpose! )
so we build a Web Handler Captcha in server and when users are new, we send them a captcha image generated by their device code(it is uid generated by device something like : https://www.server.com?appid=00000000-0000-0000-0000-000000000000 ) and when if user sends the correct captcha to server we add a new user to our database ( auto username and random password ) and save to the android's account manager for future use
in your opinion is this a good approach for authentication and security?
Thank you for tips
Https and a method to get a sessionId is enough security for most apps, anyhow my opinion:
Unless you include a secret within the hashed variables a "man in the middle" can change the parameters and forge a valid hash.
I would recomend a registration method. It's going to take device information as parameter, and the captcha if you will.
It's going to return a deviceId and a deviceSecret. The deviceSecret must not be transmitted again, just used as part of the hashes.
Also consider using a counter instead of time. It can help against replay attacks and it's easier overall.
How can I retrieve all connections of a profile? The user is logged in, I can successfully retrieve the profile with https://api.linkedin.com/v1/people/~?format=json but I don't know how to get all connections of a profile.
solution 1 (does not work!): I've found out, that it could be retrieved with https://api.linkedin.com/v1/people/~/connections?modified=new but that needs, as far as I found out, the r_network scope. But I can't even add this scope to my app as the appended picture shows. And just adding the scope to my request does not work, as I get a "Access to connections denied" response...
Questions:
So how can I retrieve a list of all connections?
how can I add r_network scope to my app?
The r_network scope recently changed to be a LinkedIn partner-only permission. You can apply for access to their partnership program here: https://developer.linkedin.com/partner-programs/apply
I'm thinking about how to solve the next problem:
An Android App which I want to connect to facebook, and to a Server backend(Srv).
Server backend(Srv) which I want to connect to facebook.
The server will run a task that will Get all the Friends of the user(on fb), and the user Statuses(on Fb), and store them on it.
Base assumptions:
I use android as a Mobile device
Server is GAE
Entity key in GAE is the user’s FB-id
User Entity contains:
User fb_id
User verified list(FB_ID String)=> friends of the user that have the app) // maybe use HT?
User statuses list(Status text, date, url)=> whatever I can get from a Status of a user in facebook..
Main questions:
Is the Data representation thought out? can it be better?
How do I handle a situation where two users which are connected to one another add the app at the same time- how can I avoid overlapping?
Should the device Authenticate itself, also with the GAE server?
How to Authenticate GAE with FB
Algorithm:
Android side:
User login and get access token from FB
Posting to my server(Srv) FB Token & myUserFBId // Should I use REST protocol or HTTP
POST?
Server side:
A Servlet handles the POST
{
Query FB ->for the user's friends ids(into friendList = arrayList<FBItem))
foreach FBItem item in friendList
{
//check which FB-ids are in my DB
friendEntity = getKey(item.fb_id)
if(friendEntity != null)
{
// friend exists
verifiedFriendsList.add(item.fb_id) //verifiedFriendsList is ArrayList<String>
friendEntity.getVerifiedFriendList().add(myUserFBId)
}
}
Query FB ->for the user's statuses(into statuses = arrayList<StatusItem))
add new FBEntity(myUserFBId, verifiedFriendsList, statuses) to DB }
Thanks
I have not done anything like this but I think you will need to
Ask user to authenticate your application to use FB- Read about OAuth Api of Facebook
Once your app is authenticated with sufficient permissions you can get users data as per your requirements .
Once you get the data you can process it.
Oauth on FB is what you are searching for..
I'll give you my 4 cents:
The questions that should lead you in developing the DS are: (A) On the
server side, How does the data persist? to a File? to a Database? (B) How much of that data is required to perform the calculations you want done, and how do plan to access it (for example, for an O(n) run, I wouldn't use a HashTable) (C) How does the persist / de-persist work? with an ORM? custom queries?
About concurrency, you'll have to explain what's bugging you. People sign in to SO simultaneously all the time.
3/4. Not an android developer, can't help.
I am writing an Android 2.2 app for my company. The app simply sends http get/put/post requests to perform certain operations. There is no real login procedure as the username and password have to be included in each http request.
I could see that there is AccountManager in Android. But since the username and password (instead of some auth token) are needed for each http request, how can it fit in? Obviously, I want to make it similar to other Android apps so that the user only needs to login once for the very first time and it won't prompt for username/password again when the app is re-launched.
Any suggestion is appreciated. Thanks!
I have developed an application like that, so here is how I solved it, in psuedocode.
But since the username and password
(instead of some auth token) are
needed for each http request, how can
it fit in?
1#: Make a first page, a login page. Let this View include two EditTexts (username and password) and one Button (login button).
2#: Make a login request on the Button click to see if you're getting a correct Cookie with HTTP header names that is corresponding with the values you are getting when you're logged in. Locate valid information via a network tool, like WireShark. For more information about the login procedure, check out my other answer here.
3#: If the username and password resulted in correct Cookie information, save the username and password in a SharedPreferences and make their values available through your application by assigning it into an Application class, read this for more info regarding global variables. If the values were incorrect and you did not get a valid Cookie, show it to the user via a message (Toast?).
4#: When you are trying to reach the authorized information, make a request by using the saved information in the Application class.
5#: Next time you're starting your application, make a check in onCreate() where you are checking if SharedPreferences contains user information, if so: see step 6#, otherwise wait for the user to start entering information.
6#: If the login page has determined user information, assign the SharedPreferences to the global Application state, finish the login Activity and start the authorized Activity instead. This will happen very fast, so the user wouldn't notice that the "login page" was displayed.
7# (extra step): In the authorized Activity, make sure to grab the user information from the Application instance. When doing the first request towards authorized content, validate the task as you did in step #3 in order to control if the user has changed the password on the website. If the user hasn't changed any information, start grabbing the response and you are free to do whatever you want.