Alright I have two questions which are interrelated.
Using Google OAUTH can I send communications between an android phone and a chrome browser extension? I was thinking that I could write some info somewhere and it would be stored in the account info or something? This was just a theory (not really supported by any info I have read)
If that doesn't work I was going to use Android to node.js communication idea using http://static.brandedcode.com/nws-docs/ documentation for an android to websocket server communication then a chrome extension to the websocket server. I was then going to use the gmail from each device to verify they belong to each other and pass the message that way.
Does anyone have any knowledge about how feasible this is/how challenging it is? I also need to know how secure the communication is if I only rely on a gmail account. Is there any information done by using OAUTH or another method that I could use to secure it more?
Finally is there a method to turn a chrome extension into a websocket server? That way I could just bypass the need for an external server and any sort of verification method.
I'm willing to do some work and/or research if necessary so list anything you think I should look into and any ideas you might have. I'm thinking of having a nice coding weekend so I will be playing around with this A LOT!
I appreciate any help that anyone can give.
Related
How safe is it to use OkHttp3 for your REST API?
For example, if my website has some login/signup process, and my app sends requests with OkHttp3 client. How much can I trust that someone can't take his phone, plug it into Android Studio and look into the logs and find the links for all the requests I'm calling?
There's also the matter of decompiling the app, and easily accessing the base Uri I'm using in my app.
I'm not sure how OkHttp works, so can someone tell me about the security used in the client and how much I can trust it?
If a link is on the internet, then it's public. There is no point trying to hide that fact.
You need to focus on the securing the endpoint(s) the app is talking to for confidentiality, integrity and availability
You need to read up on Web security. Take a look at the OWASP Top 10 and related guides.
Why are you worried about your URL address? Whenever you expose an API on the internet anyone can find your API URL address. There are easier ways than reading logs of your app.
What is your exact worry? What do you need to keep secure? What is important for you?
Starting to build an app where we will have a desktop and a mobile client applications. These two apps will exchange messages/info on frequent basis. The idea is not to have any server/central entity for this communication. We want to send/receive messages without any server implementation. I googled on these and got peerjs.com, openpeer.org and google project apprtc. Peerjs and apprtc are kind of web based applications which are not in our kind of.
But still it's not very clear on how this things works out as they involve any server or not. Kind of stuck and not sure where to start and how. Is it possible at all?
We are not yet tied to any platform, so open to any kind of implementation. Please share if you have any similar experiences of any applications using this kind of technical stack?
use webrtc ios project, and its what you need
https://github.com/gandg/webrtc-ios
Sockets is what I'd use, assuming the network requirements mentioned above
Those two devices may or may not be on the same network.
Then you need a server of some form, whether you want one or not. That server may simply be a data broker (see PeerJS) or provide more functionality, but it must exist. That server may be one that you host yourself or be some common cloud provider, but it must exist.
I have a MVC application that I would like to port at least a small part of it to a mobile app (android first). My first objective was to try to figure out how to authenticate the users.
It seems that forms based authentication uses cookies and that is not usable by mobile apps? Definitive confirmation would be appreciated.
But it seemed that you could do some form of authentication using a WCF service to create a token. Now I found a lot of sites that discussed how to create and secure the service end point but none really discussed the token generation.
Then quite by accident I stumbled upon WIF and the usersecuritytoken, which seems to what I am looking to accomplish.
So if some could please confirm this is where I need to be looking so I can actually get back to coding rather than reading I would appreciate it.
The way I see this working is:
Secure WCF service.
Using the System.IdentityModel it generates a token for a valid user and passes it back to the mobile app.
Then the app passes the token along anytime a service requiring privilege is called. For example updating the user's profile.
Is that how it is suppose to work? If not could you please point me to an example of how it is suppose to work.
One other question, looking at the WIF site it seems to provide a lot of token types, what is the preferred type for android and iOS?
UPDATE As it was pointed out it would be helpful if I provided more context.
The original website is a MVC3 web app.
I am attempting to write an app for some of the backend administration features using mono touch.
WCF seems to be a bad solution for cross platform and a package called ServiceStack is what I am now leaning towards for my web services. ServiceStack has its own authentication module but it does not interface with the .net membershipprovider which is an issue since the web app was designed with the membership provider.
I have to be overthinking this. It can't be this complicated to have an android or iphone app securely authenticate to a .net membership provider through some form of web service.
Thank you in advance,
Chris
I am trying to write an app that will have a web interface for business owners who can select a specific Android mobile app user via querying a database and then have either the website or database(a little unsure about how this would work) push information to the queried user's phone to create a notification for them via the app.
I have never created an app like this and the connection between the website, the database, and the mobile app on a user's phone are all a mystery to me. I've searched the Android developer website and cannot find anything that will accurately explain how to do this, and have also Google'd the topic without much luck.
All I ask is for someone to point me in the right direction to place the pieces together, any information you can provide would be greatly appreciated, thanks!
Your solution will almost certainly involve Google Cloud Messaging.
Implementing GCM will involve a server in which all devices are registered with a central service. So you are half way there once you have GCM implemented. Well perhaps more so, almost everything you mentioned is basically just GCM.
http://developer.android.com/guide/google/gcm/index.html
For this you can use PHP programming to interact with the website.
Refer Android App interaction with Web
and also
Android App Development and Web Server Interactions
These links will be useful.Good luck..
We have an android and ios app which sends data and commands to a server with http webservice. How can i prevent the possibility, that fake-clients also can send something to the server? How can I determine serversidely if the data/command really comes from our apps.
You cant really prevent it. There are several techniques to make it harder for people abusing your services.
A simple check can be to check the user agent calling your webservice. Another pretty common one is to use a simple authentication via user/password authentication on your webserver. The username and password will be embedded into your app.
If you have enough time you should think about using a combination of this two methods plus authentication with a embedded ssl certificate. You simply could add this to your project and if someone really want to abuse your service, he have to extract this certificate atleast form your application.
There are some other useful techniques but you cant prevent reverse engineering or network sniffing.
Sincerely,
fuxx
The most robust solution is not to try. Techniques like DasFuxx's answer suggests can make it faintly harder, but someone can always decompile your application and get whatever secrets you have embedded in it.
Instead, follow the rule of multiplayer game development:
Don't trust the client.
Don't think about your application as the user interface. Think about your network protocol/API as being the user interface; then design that interface so that it cannot be abused.
It may not be possible to do so completely, but insofar as you succeed, you have true security (rather than fighting the same losing battle as DRM systems).
I would implement oAuth. See the following link for more information on how to implement such a solution.
You can't. It's that simple...