I'm devepling and android application that should connect to an application server.
What I'm asking about is, should I write the url of this application server statically inside the code or is there a way provided by android to dynamically change the url if needed ??
Taking into consideration that once the app is uploaded on play store, the application server should reserve the address and never change so as not to affect the android app.
I'm just asking about best practices in those situations.
Thanks all :)
Although that would be nice, it might not be worth the hassle. I think it's fine to code in the URLs as they are currently. If for some reason you change the endpoint, try and make it so you send an error saying that the user needs to update the app (and release a new version with the updated URLs). It's also a nice way of indirectly getting your users to update to the latest version so you don't have many to maintain!
Also, if your server moves, it's still not a problem, since you'll still be using the same domain name to point to your server!
(This is assuming that it's still the same domain name, and it's just the endpoint changing, and you don't need to reuse the previous endpoint for something else. Yeah, quite a few assumptions :) )
It is best to consider that your server will be relocated in the future, because you never know. Unless you are willing to upgrade your application anytime it happens, dynamic configuration is the best approach.
You can write the URL of the redirect server in the code, and have that server redirect to different URLs as required. The redirect "server" in its simplest form can be just a text file stored on your company's website, for example.
Related
Hi and thanks for any suggestion,
I have done my homework and tried to find an answer on SO and around, but so far I have been unable to find a solution.
I am trying to build some kind of FileManager to allow user to upload files on websites (any website, for example add an attachment to a mail in yahoo mail...)
Therefore my application registers a filter so that when the browser requests a file to upload the app opens up and provide the file to the requester (the web browser).
My question is:
is there a way for me to retrieve the url of the website to which the file is uploaded ?
I'm not sure I understood your question currently. my answer is relevant with the assumption: you want to have a direct download url to the file that been uploaded, and you wish to use this url in some point in the future to download that file...
I am afraid there is really no way getting such information.
there are many obstacles in the way of getting url to the file that been uploaded:
there is no any system broadcast / event that been sent in this scansion
even if the upload process was managed and initiated from you own application with you own WebView - the website you uploading to not necessarily provide you information of what is the url of the uploaded file. I know for sure that companies like yahoo not provide you this url.
if that's not enough - there is no necessarily such url at all!
the fact is that the server you uploading to is not necasserly doing anything with the uploaded file, or just not exposing him to public access with url.
from the reasons I mentioned, developing app as you which can be done only with servers providing their own API for upload files, and returns you the url as respond.
of-course each server has it own API (if at all) and you should speak with each one of the servers you'd like to support with it own language. sort of mission impossible if you want to support most of the big sites...
I had similar problem as to how can I get the URL where my file is uploaded. The answer is simple and lies in your Android code.
For uploading a file to some place, you need to know URL of the server/website.
So lets say you are uploading a file to
www.yoursite.com/appdatafolder/
For uploading to the file to the given address, you have to have a php script file sitting there, which will communicate with your android code for uploading the data.
Lets consider the address is:
www.yoursite.com/appdatafolder/upload.php
Now it depends on your code on how did you wrote your php script, in my case, I also send the name of the file to upload.php file, you can ignore it if you want or your script follows some other algo.
Lets say you want to upload importantfile.txt, so the url for uploading the file becomes
www.yoursite.com/appdatafolder/upload.php?filename="importantfile.txt"
The address you need to provide to the user in order to download the file becomes:
www.yoursite.com/appdatafolder/importantfile.txt
Now what you can do is save this address in a local database on your phone and use it whenever the user wants to download the file.
If you are afraid of securing the files which can be accessed/downloaded
www.yoursite.com/appdatafolder/
you can use htaccess. There are alot of other security mechanisms out there for securing data on the server from hacking. htaccess is simplest example.
So this is the easiest and hassel free way of solving your problem.
If you want, I can provide the php script I used.
Hope this helps.
If their is no secure layer on the web site, data sniffing by the app could be a kind of solution. you'll also probably need to deal with content encoding like gzip.
You'll need to filter the result's. It is easy to do: You just need to look at the application level in the OSI model.
Then you can apply a second filter if you know the ip address or the hostname of the concerned site.
There is even one more filter if you know the request method. But most it is get or post most of the time.
Have you looked at this question: Android file chooser? It has great example code as well as a link to a GitHub project (aFileChooser).
I just can't get my head straight about this one. I'm currently building a rather large-scale application on Android. I've run in to a couple of problems regarding security and authentication though...
The Scenario:
I have an application that's making calls through HTTP (will implement SSL later) to a server running PHP and MySQL. Of course i want to use the existing user-database, so migration to another DB is not a solution..
I've managed to create the "register users via Android to the server"-functionality.
I've also made a working login, BUT this is where the problems start.
As users in the Android application I'am working on adds, edits, deletes and sync stuff on the server via/to the application, things get rather complicated. A little too complicated for me it seems :)
Problems:
As I get the result from my server-side login and pass it from the
server to Android via JSON, the connection dies and server-side I
'aint logged-on (sessions dies) whereas on the phone I'am. How can I
make the log-on persistent both on the server and in Android without
the need to log-on again? So that subsequent calls from Android to
the server is made with the same user, still authenticated. I.e. I
want sort of a one-time login ('till I logout) like in the
Spotify-app (and many others).
If I've understood things right, implementing SSL correct makes it
possible to send passwords in clear text to the server without the need to hash them first. Is this correct?
I just can't stop thinking about the fact that a MIM-attack would compromise any unique id I send from Android to the server. My first thought was to have the UID on the Android device as a "key" to the server after a successful log-on. But if that key gets in the wrong hands, the user associated with that UID will be compromised. I've looked at the AccountManager on Android but it seems rather over-kill in my case.
If someone could supply examples or at least guidelines, I'd be much grateful!
Thanks in advace!
ADDED SOLUTION DIAGRAM AFTER EDIT
Notice that this diagram shows the first start of the application. Later startups will NOT show the Login / Register form, but use the DUT instead.
// Alexander
Issue some form of a short-lived authentication token to Android apps. They would need to pass it in every request, and you will check it your Web app. Breaking the connection doesn't end the session, if it does, you have bug in your Web app: fix it. In Android, as long as you are using the same HttpClient instance, it will continue to use the same session, nothing special is needed.
Whatever you do, do not put off implementing SSL, do it now.
This is a theory question more than an implementation question. What, in your opinion, is the best way to create a mobile application that syncs data to a server?
I have been writing an application that has a user sign-in, allows them to create notes and then selectively share them with other users. I have been doing this with a Rails webapp that returns JSON data to my iOS app. It seems like a lot of overhead for something that so many apps are doing. Is there a better way? How would, or do, you do it?
You should optimize the data quantity you exchange between server and device. You need to set up a flag that indicate you if something changed, case you need to sync.
Let say you have an app that allow to a group of users to update/load from the same file. you can save on the server the time of the last changes, and on mobile device you have the last update time you get. When you want to update your app data, on the request you can include the time you got the last updates. if the time you send and the time you have on the server differs, update; else... do nothing.
Because the request/response is minimal (Req = time; resp = empty), you can check for updates as often as you like.
The option I found that proved to be the easiest and allows you to focus on mobile development while virtually ignoring the data storage element is Parse. I wish I had found this months ago.
I really don't think there's necessarily anything wrong with maintaining a simple Rails web service as a REST interface for your database, but I can see how that might seem like unnecessary overhead. You could find a DB which has a REST interface by default. Here are two to start you off:
CouchDB
Amazon SimpleDB
I need help figuring out the best, cross-browser compatible way to "SAVE" user input and STORE them locally(offline mod) AND on a server(online). Program will be used by Android and iOS.
I want to know the best way to track user progress while the device is online OR offline.
Hello I have been researching AJAX, JSON, XMLHttpRequest, REST, Java, and HTML5 (specifically, localStorage).
The scenario: (Read a book online/offline, save page progress)
A user logs in to a Web Service and the Web Service allows the user to download an "html webpage book" (view with HTML5 browser).
After every page turn, a REST API uses a GET request to post the Progress data to a Web Server. Simultaneously, a JSON string is created and saved in a file on the server. (let's say "ProgressData.txt")
In the background, a separate "copy" of ProgressData.txt is saved LOCALLY on the mobile device. The user then leaves the internet connection and continues to read the HTML Book.
When the user regains connectivity, the ProgressData.txt is uploaded to the server using a REST API where it will update the old server file with the NEW .txt file with all of the user ProgressData.
Possible solutions:
HTML5 localStorage solution looks good. jQuery even simplifies it:
http://plugins.jquery.com/project/html5Storage
Straight Javascript looks good for Server-Side storage, however it doesn't have access to a mobile device's physical hard-drive, thus preventing any kind of offline saving.
Java applets look possible. Plus not sure how Java runs with Android/iOS.
I don't want to have to run a localhost(PHP/Apache/Python) from a mobiledevice every time the user goes offline, however that may be where the solution lies. I did stumble on this powerful tool: http://couchdb.apache.org/
Question:
I need to know the best way to track user progress while the device is online OR offline. What is the best way to do this?
I stumbled across store.js the other day which might help solve the cross browser local storage. It was from this article about local storage.
I think your best option for tracking online/offline is to ping the server via an AJAX call when the page is turned. Always try and update the server on a page turn, but if it fails, handle the failure and store the progress locally. Each page turn will either amend the locally stored progress file or if connection is restored then simply update the server with the progress.
The issue I am thinking might occur is if a book is finished offline then there are no more clicks that would trigger the syncing, regardless of a restored connection. You may want to think about a manual sync link/button at the end of a book. Or maybe have a manual sync available at all times anyway? Give some control to the users and describe the whole offline/online reading scenario. You might find that it is easier to just let the users do the work… if they don't sync then it's their problem!
Here are 2 screencasts what will help you with your problem.
They are in Ruby on Rails but maybe you can get the idea. It is using the html5 cache manifest.
Hope it will help you!
http://railscasts.com/episodes/247-offline-apps-part-1
http://railscasts.com/episodes/248-offline-apps-part-2
some more resources (sorry i dont have experiences myself with html5 cache manifest)
http://diveintohtml5.ep.io/offline.html
http://developer.apple.com/library/safari/#documentation/iPhone/Conceptual/SafariJSDatabaseGuide/OfflineApplicationCache/OfflineApplicationCache.html
I'd suggest just using a cookie to store the current state. That way it is automatically sent to your server with every user request (so no need to build out a custom server-side API for receiving the state after a lost connection, and no need to have any custom client-side code for sending the data to the server), and still updateable even if the user has lost Internet connectivity. Also it doesn't rely on HTML5 features, so you don't need to restrict people to HTML5-capable browsers.
In any case, the best way to handle storing the current state would be to have a simple onclick handler on your "next page" link (or button, or whatever it is) that calls a function and sets the cookie value to whatever the current position is. Note that because the state is always available client-side, and sent to the server on every request, there is no need to maintain any explicit copy of the state server-side, unless you want to be able to remember the user's place even when they manually delete their cookies (which is overkill in my opinion).
You may want to look at the W3C Example Code for setting/getting cookie values in JavaScript.
Also, here's a website that demonstrates functionality similar to what you want to build. It uses cookies to keep track of a user's place when reading various webcomics. Pretty much the same as what it sounds like you want, except with comics instead of books.
It would be wise to track the progress in both a server side database and in the client's local storage if a constant internet connection is not necessary.
Evercookie is a controversial javascript api that aims to provide local storage using any means available including standard cookies, Flash shared object, Silverlight, browser history and HTML 5 storage. Data should persist when the user is offline and when the connection is restored, sync the cookie and database with whichever data has greater page number for the given book. Droid has Flash and the Flash shared object data is a "cookie" available to both desktop and web-based apps.
With great power comes great responsibility:
http://samy.pl/evercookie/
I'm wanting to create an android app that gathers information and then uploads to a server -- however I don't want people to be able to edit the file before it's sent to the server. I can do the first part of it, but am unable to do the second part. Can anyone tell me the best way to go about this? I don't mind if the user knows what's in the file, just don't want them editing it and then uploading their edited information to the server.
You're pretty much out of luck since the application is run by the user and the output is controlled by the user. The only way you could take over user's system so he would have no control over it would be using trusted computing with all of the ethical and philosophical implications - see eg. Can You Trust Your Computer? by Richard Stallman. The only thing you can hope for is having a secure connection between your server and user's systems (SSL/TLS) but this is still user's system over which you have no control.
The only correct answer here is Zed's.
The rest of the answers rely on Security through obscurity.
The bottom line is: if device is not totally locked down (= trusted computing) then users can reverse-engineer the application/file-format/network-protocol and submit false data.
Fact of life: people with huge resources (media industry, IT industry) have tried to pull this off (DVD, BluRay, game consoles, etc..) but eventually talented engineers on minimum budget have been able to break this protection schemes.
So, it might work, but only if data is not important and nobody bothers to break it.
There are a couple of approaches you could use here:
Encrypt the file before its saved to the device, the user will be unable to read/modify it.
Encrypt the connection to the server, SSL can protect against a 3rd party interfering with it.
Don't save the file in a public location, place it inside your app's private data directory. The user will be unable to access it.
Depending on how sensitive this information is going to determine which combination of methods to use.
Well as for Android you cannot prevent people from accessing files on the public filesystem.
Maybe there are better ways to handle this but I would simply crypt and decrypt the data before submitting and by using a passphrase or some sort of parity check one could validate the data.
Some rough ideas:
You could view the information that is being sent to the server to the user and then ZIP the file that's being sent with a password beforehand so the user doesn't get a chance to edit it:
Write a password protected Zip file in Java
Of course, you'll have to make sure the user doesn't know the password ...
Or you could build a checksum of the text that's sent and validate the checksum on the server. Here, again, you have to make sure the user doesn't know how the checksum is built and change it accordingly.
Or you could not safe the information to a file at all but into the app's database or private filespace (where non-root-users can't access it).
Whether it's the pasword or the checksum, you could send that information to your server with a normal HTTP-request so it won't be "visible" to the user (followed by a second request that actually sends the file), but if we're talking about users that know how to handle network-sniffers on their phone (needs root, AFAIK), you'll have bad luck, it's their device and their data that's trying to leave it after all :)You could try to use a secure connection to fix this.
What you could do :
Sign the file with your application
Check the signature on the server, check if the certificate is a certificate that is authorized
This will help a bit, but you'll still have the private key bundled with your application... someone may be able to find it and then sign modified files...
Another idea : can you compute the data or is it user generated ? If it's computed why not just compute the data and send it to the server (over SSL) without even writing it to the filesystem ?