So I am planning on building a web service that an Android app will connect to. I am trying to come up with a way to secure this web service so it will only be used via the App.
I was thinking just passing a secret key along with each call I make. But this can easily be compromised with an http sniffer. Then the web service can be used with anyone at that point.
Are there any other ways to make this work?
Thank you!
I don't know that you can FORCE Android only. Whatever method you use can be worked around if they know what it is.
Depending on how the app is written, it should be simple enough to check the User-Agent of the request. Apps that use the HttpUrlConnection (as recommended by the Android docs) should have a user-agent string that says Android in it.
Related
I have a web application developed with RoR, and I was wondering if it was plausible to use it as the backend for an Android application that I would develop in Java or Kotlin?
For example, if the web applications authentication is handled with devise, can I get the Android application to send the name and password to my web application and have it return the user as a JSON?
Absolutely you can.
Usually the Android app would call an API rather than a web page. That is you don't exchange HTML like a browser does, just the essential JSON. Lots of things work the same as a web site. For example you can use the same authentication mechanism for the API as for the web-site.
This is a good starting point for RoR to create an API.
https://guides.rubyonrails.org/api_app.html
Here's a starter for Android making a web-service call:
https://developer.android.com/training/volley/simple
That's just a get, which you might use to get a list of something that's publicly available. It's probably worth understanding the other pages just there because with web calls it's really easy to do bad things like lock up the UI thread, so best to use the example patterns and methods.
I have web application, created with asp.net MVC4 and I want to create android app based on it. I've done some research, but couldn't choose best option for me. There is few questions which I want to ask:
1)Best way for authentication in this situation? What technologies to use and in what way?
2)What is the best way to get data from my ASP.NET MVC app to my android app (java)? (keeping in mind that some of that data could be personal)
3) Is it possible to make that route/page would be accessible only through mobile app in some similar way, so that if someone managed to access page from desktop it would't respond?
4)In what format authorization tokens are and what technologies use so I can create it and use it in my app environments?
Thanks, for help
You may need web api to access mvc 4 in android. For authentication you may include passkey
In order to block access you may block all urls
You will authorize the user through web service
Yo may see this , this and this
I am beginning a project that will have three layers to it: a web front-end, a mobile front-end and WCF back-end. Authentication needs to be done via Active Directory, but both web front-ends will be using forms authentication to grant/reject access to certain areas, and all user control will be handled via groups inside AD. This specifically applies in the WCF side where I would like to be able to utilize the built-in Permission.Demand() functionality.
I have two questions with this. First, does anyone know of any best practice examples for doing this? Specifically in regards to passing the credentials (without the password) to the WCF service so it knows the context under which it is being accessed. Secondly, the future includes creating an Android app (and probably iPhone/Windows Phone versions as well) so I need to make sure the method used will work cross-platform with those.
set the PrincipalPermissionMode to Custom, write a custom Authorization Policy (http://msdn.microsoft.com/en-us/library/ms729794.aspx) and in the implementation of the Evaluate method do the following:
evaluationContext.Properties["Principal"]=HttpContext.Current.User;
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/8f424d4f-2f47-4f85-a6b0-00f7e58871f1/
I have a MVC application that I would like to port at least a small part of it to a mobile app (android first). My first objective was to try to figure out how to authenticate the users.
It seems that forms based authentication uses cookies and that is not usable by mobile apps? Definitive confirmation would be appreciated.
But it seemed that you could do some form of authentication using a WCF service to create a token. Now I found a lot of sites that discussed how to create and secure the service end point but none really discussed the token generation.
Then quite by accident I stumbled upon WIF and the usersecuritytoken, which seems to what I am looking to accomplish.
So if some could please confirm this is where I need to be looking so I can actually get back to coding rather than reading I would appreciate it.
The way I see this working is:
Secure WCF service.
Using the System.IdentityModel it generates a token for a valid user and passes it back to the mobile app.
Then the app passes the token along anytime a service requiring privilege is called. For example updating the user's profile.
Is that how it is suppose to work? If not could you please point me to an example of how it is suppose to work.
One other question, looking at the WIF site it seems to provide a lot of token types, what is the preferred type for android and iOS?
UPDATE As it was pointed out it would be helpful if I provided more context.
The original website is a MVC3 web app.
I am attempting to write an app for some of the backend administration features using mono touch.
WCF seems to be a bad solution for cross platform and a package called ServiceStack is what I am now leaning towards for my web services. ServiceStack has its own authentication module but it does not interface with the .net membershipprovider which is an issue since the web app was designed with the membership provider.
I have to be overthinking this. It can't be this complicated to have an android or iphone app securely authenticate to a .net membership provider through some form of web service.
Thank you in advance,
Chris
Is it possible implement an Android application as a web service?
On the official site I've read:
Note: If you want to develop a server-side application, we recommend
that you implement your application as
a servlet running in a servlet engine
like Tomcat or full-blown JSEE
container like Geronimo. If you prefer
to implement a server-side application
based on our HttpService, we'll assume
that you know what you're doing and
that you don't need help in figuring
out which interceptors need to be
configured.
How can I implement this? Apache TOMCAT can run on Android?
Is it possible implement an Android
application as a web service?
You can create an Android service that will open up some server socket and will listen for HTTP requests. However, Android will eventually kill off that service, either automatically after it is unused or at user request. And, nobody will be able to access the service except on the same WiFi LAN.
IMHO, truly implementing a Web service on Android is pointless.
I think they're saying that you can write a server-side application for an Android user to access, not that you'd run Tomcat on the Android device itself.