I want to connect a Android client to WCF Webservice. There are several good guides describing how to do this but the https concept is really blurry for me. Here is what i want:
1) A selfhosted WebService communicating over https with an authenticated client.
The user database resides on a SQL Server.
The Service must be a "simple install" for any user to carry out.
The user will install the service on his/her PC and then download the client from google play configuring it using ipadress only.
Problem: it seems impossible to carry out this using WCF cause wshttp looks like having the need to install a certificate on the mashine.
A possible way forward would be generating a selfsigned cert during install but how can i then in a userfriendly manner get the cert to an android client?
2) A Android app published on Google Play which is able to communicate with the service. Data sent to the service will be both simple datatypes (string and integer data) but also large binaries 3-25Mb.
The user installing the service has no more the knowledge than his ip adress and must not be bothered with any certificate issues or other technical details. One option might be using message instead of transport security but my knowledge is very limited in this area.
Information passed between server and client is of personal caracter and may contain passwords including matching sites where passwords are used, personal info, calendar events etc. It will not contain money transfer orders, credit card numbers or account numbers.
The core functionallity of both server and client are more or less already implemented. I now need to secure communication between client and server.
Any recommendation for a good approach to develop this will be grately appreciated!
The way in which i want to deploy the server service to end users makes it hard to use WCF with ssl.
other options create other problems. i have now abandoned WCF for this specific project in favor to Good old socket programming using Bouncy Castle, SslSocket and a custom protocol. It may me overkill but gives me full control over both authentication certificate management and the data being sent.
Im using ssl with a selfsigned cert and override the cert validation method in android verifying all data in the cert manually except relolving the host name... enough for me since i use a pre shared key to encrypt and decrypt data.
Thanks for all help
Related
I have the application. I know all urls, parameters, http-request types, etc (this is my application).
How can I intercept all requests from the application?
For example:
I pressed a button and can see the text of requests to the server.
Task:
to hide requests from potential hackers and prevent him to perform requests on behalf of the application.
You can see your requests with a Packet Sniffer. If you are developing and testing on an emulator something like Wireshark, Fiddler, etc would work. If you are developing and testing on a specific Android device, then try using apps like Packet Sniffer which will capture the requests going through.
If you want to secure the requests from hackers then consider encrypting your requests. To start with, use SSL (HTTPS) encryption on your server, to prevent people from eavesdropping on the same network. To set this up, it will depend on what server technology you are using (e.g. Apache, Nginx, etc). However, there are many solutions but a popular one is LetsEncrypt.
Next, if you don't want people to understand the requests your app is sending to / from their device, then consider adding another layer of encryption on the request payload itself. Algorithms such as AES256 bit encryption will work and be secure enough, have a look here: Android AES 256-bit Encrypt data
Always hash any passwords you are sending / storing too, using algorithms like MD5, SHA256, etc.
No one can see that http request without source code .
If you upload your app in play store they have just apk . From that they cant do anything.Now a days google provides more security for applications.Because you are already generated singed Apk.
On my server, I need to ensure that I receive connections only from android devices.
Is it possible? To store client cert for this in custom android assembling that is resistant to rooting ? Or I can hide absolutely nothing on rooted device? And can not avoid rooting by any means(for ex providing my own android assembled firmware)? Cause even if I set program root checking - the app can be rebuilt by 3d party to avoid this check. Any usefull ideas appreciated. Thx in advance.
1) OAuth2 is authentication and authorization protocol which is broadly used by largest and even smaller companies. Think of Facebook API. If a user is not authentication nor authorized to make that call, you can drop the inbound request. That's one method.
2) Second method would be to add your own user agent to your HTTP header and other custom HTTP headers. If your server checks on these headers, then you can drop the inbound requests.
You don't have to store the SSL certificate on the client as the client would initiate a secure connection with the server that has the SSL certificate.
Anyhow, using a certificate client side could be okay to encrypt data but I don't believe Android Java has support for that. Correct me if I'm wrong. If you do happen to encrypt data with that key, you could encrypt a certain String or bytes that you can parse into one of your custom HTTP headers but if someone finds out what the encrypted String would be, he/she can still fake a connection. However I do not recommend to store your SSL certificate on the client's device.
Regardless of what you might do, there's always a way to fake a HTTP/HTTPS connection like it's coming from an Android device but you can narrow down the incoming HTTPS requests using these two methods and make it much harder. An example would be Pokémon GO. There are plenty of unofficial APIs on GitHub who can fake a connection like it's coming from the official app.
I have an HTTPS WebService that need to be accessed from a Mobile (iPhone or Android) application. both are developed by me.
The mobile phone needs to send its location to our server every few minutes - I need to secure this data.
In all my mobile apps that I developed till now i wrote webservices on client side and on the data layer and thats it...but I now understand that it is not safe.
My questions are:
1.Is there more secure alternative to using web services for location transfer?
2.How can I secure the data transfered via WS?
Consider to encrypt this data with an asymmetric encryption algorithm like RSA. It is not hard on Android but could be very tricky on iOS.
The important thing is to store only public key on the device. Do not store private key in any form on the device. On iOS you can store a certificate and encrypt your data with the public key in the certificate.
Hope it helps..
If you use HTTPS data in transit is automatically encrypted. Do not try to invent your own encryption using raw RSA or random code you find on SO/forums. Just setup SSL on your server and be done with it.
I am building an app that creates a http connection between Android and a specific Server. I transfer data using JSON and all is going well, but now I am trying to secure the connection, by which I mean I don't want a third party to view the data being uploaded. The Server doesn't use SSL certificates and so I am currently thinking of how to implement a secure connection. So far I have two ideas:
Create a self-signed certificate and put it on the server file system. Problem with htis is that the Server owner doesn't want me poking around his system. I'd rather not get into a debate with him about it
Use Jsch (or other) SSH library to create a secure connection. Problem with thisis, I have never used SSH before.
What do you recommend? Is there another option?
Get them to setup SSL on the server and be done with it. Since the server has to decrypt the data, you need to do something on the server, whether that is installing a key and certificate or modifying the web app to decrypt your data. Using SSL is by far the best option. SSH can be tricky, and they might be less likely to allow SSH connections from mobile devices than regular HTTP(S).
What is the best solution to secure a REST service provider (assume a java servlet running on google appengine) by allowing requests only from iOS or Android device from a specific app?
Assume I have a servlet running on google appengine that does some processing and responds to a GET request with some JSON data. And I want to restrict this access to my app that runs on Android and iOS.
My current solutions are:
Use if(tokenValue ==
request.getHeader(tokenKey)) on the
appengine servlet. And
response.addHeader(tokenKey,
tokenValue) on the mobile apps'
code. So basically only my app would
know the token key.
Use HTTP(s) for the above solution, appengine supports this
Use oAuth - but I need to have the user sign-on to some oAuth provider from the app, which complicates the app
Suggest other useful approaches to tackle this problem. Assume this servlet only serves GET requests and maybe use Restlet or Jackson
Only 3 would be an appropriate solution if security is important to you. This is because anyone using the application can intercept the traffic and just replay the values against your web service. SSL offers some protection but a good attacker can work out how to capture data if they control the device. With OAuth the damage done by an attacker is limited to a single user (as long as they are not an app admin).
How about using a client SSL certificate? I haven't tried this, but I'm considering it. Here's a page that describes the approach, with some sample code:
http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html