I have a website which supplies data to mobile app.
Is there a way to identify myApp vs a cloned App?
So that I can block access of any cloned App.
On first time APP usage, I generate an APP ID, PASS CODE & Access URL
Where I change the PASS CODE frequently, but how to identify myAPP on the first access so as to be sure that I am issuing APP ID & PASS CODE to my own APP only.
What sort of encryption I can use for the first time access?
You can have a hardcoded key on your app code that only your server knows. Use it to create a hash signature, like md5(concat(key, deviceId)). When the requests arrive to your application server, you can do the same and compare the results. The clonner can't discover this key by sniffing your app requests. The only way to get it is by disassembling it, but it's much harder.
This is a simple suggestion, though. If you want a more sofisticated solution, check for HMAC wiki.
It makes sense passing a token via Push to an application (GCM for Android). Using that code can uniquely identify application, and cloned application could not reach that code.
Related
I have a full application API written in node.js with Express.. Now, the API should be only accessed from my Android application, how can I protect the node app from outside requests?
If I use some kind of a password protection, I'll have to write that password in my android app and since the application is available to everyone, the password can be easily found.. What is the solution to this kind of situations?
Web based security can be a bit tricky sometimes, but if you have an app you could use a token-base approach.
When your application starts, it can request a token from your API, which then must be present in all other requests to your API.
Did a quick search for this kind of thing and came upon this page, which might be worth a look: http://thejackalofjavascript.com/architecting-a-restful-node-js-app/
I read this regarding how to extract code from apk.
I am really confused how does other app ensures security. I have a website. In that I have written all queries in PHP. So There is no way to get my queries unless they compromise my server.
In case of android app, I will have to write all the queries, connection details in Java. So when they can able to get code from APK, they can get my credentials. Isn't?
How does other app work? If I understood wrongly, please help me to understand.
So when they can able to get code from APK, they can get my credentials. Isn't?
Yes. If your app contains secrets and you distribute it to your customer, you customer has the secret.
Whilst you can obscure the secret using obfusctation tools like Proguard, his will be of limited effectiveness again all but the most casual attacker.
How does other app work?
Usually, the client-side app makes a connection to a front-end application on your server. The application server does its own identity management, connects to the database, and performs whatever limited range of operations the application allows for each user.
The application server is typically accessed using some kind of web services. You can re-use your PHP code here; the client app is then effectively just a convenient interface to making HTTP calls against your existing web site.
Android has a feature Pro guard. Pro guard convert all String and Const value into Obfuscated code. It also remove unused files. So by using pro guard, You will get two benefit. First You get your code security. Second, Apk size reduce to 25%.
Save your queries in res/string.xml file and use Proguard. Do not write queries in Java, just use the string in string.xml as query.
I'm trying to add OTP functionality for sign in, in my android app. I'm using node.js for the backend. Now, first I thought about generating random numbers like math.random().
I can easily generate PTPs on my server side and I will store them in my MongoDB datastore then I'll match them when user enter the OTP, but now I came across these prebuild modules for OTP this one Speakeasy https://www.npmjs.com/package/speakeasy.
There are two types of methods HOTP/TOTP. I am asking why would anyone use these two and just not using random numbers.I mean what are the use of HOTP/TOTP? If anybody has designed OTP functionality in any app/website please enlighten me.
UPDATE
What is the general way of OTP authentication on any android device from the server I mean apps like zomato, Airbnb how do they do OTP verification of the user?
These OTPs prove "I am in possession of this device that generates OTPs."
In the broadest sense, it could be a statement involving a device that doesn't even have Internet access. HOTP and TOTP are algorithms that you can use offline. Both the device and the server generate the code independently:
code = f(shared secret, common info)
That shared secret only has to be set up once, e.g. by being baked into a hardware dongle or scanned in a QR code when you set up two-factor authentication. The common info is something that both the server and the dongle can determine each time you log in, e.g. the number of times you've logged in before or the current time and date.
Using an actual random number would require your service to deliver that random number to the device. Which if you're developing for an audience that has smartphones, isn't too wild of an idea. Google's two-factor authentication, for example, supports sending a notification to your phone and you just click a button to allow the login.
One more thing, a practical consideration: using an existing scheme like TOTP makes it easier for anyone trying to reason about how secure the system is. If they already understand TOTP, they can move on to examining other parts of the system you're building.
I created an android app which uses Web Services (I use vb.net for developing it). These web services reside on my Server (I use IIS). If I open the HTTP path, associated to these WS, I can use it freely. But in this way, any other user can use my WS. How can I make it secure?
I would start with a client-authentication certificate. That way, if you don't have the certificate, you don't get in. And use https not http.
The basic way I can think of is setting a "password" or a string from your app, salted and encrypted, in case someone tries to decrypt it directly from the app, and doing a check on the Web service, and run the service only if the password matches.
Anyway if the information you use is sensitive and you want to make it really safe, maybe you will want to consider using HTTPS/SSL to avoid sniffing.
I have an application that needs to create a remote account if the user pays for an application using the Android Market.
How might I do this from the application itself in a secure way, ie. I don't want anyone to be able to submit data to a url and create an account, I want this to happen in a verified way. I thought of including an authentication key in the application itself, but that does not stop someone from decompiling the application and taking out the authorisation key.
Is there a way to query the Android Market payments using PHP?
http://code.google.com/p/android-market-api-php/
Don know if this might be of any help.
I found out how to do it. You need to write a custom java class based off the original Licensing System, in particular the the verify() method. You can then run the command using backquotes in php and grab stdout.
If you would like to use PHP rather than execute a Java process you may find this library on Google Code verifying Android Market licensing responses useful.
It just takes a few lines of PHP to verify a license and the formatting of keys and OpenSSL stuff is taken care of for you.