I have a rails app (rails3) that uses sessions for users to navigate upon login. I am trying to create an android app for this rails server and trying to figure out what is the best way for handling login is.
From what I've found so far, there are two possible ways:
1. Get sessions from rails server and setCookie on android side upon login
2. Use OAuth.
Which would you recommend?
At this point, I am unsure of how to manage sessions when using OAuth, that's why I am asking the question. Thanks
I encounter this problem last time as well. As we need to allow logged in user in the android to be able to query the rails server for some data. Initially we thought about sending password/username from android and then set the session and cookies in rails server, then send back the info. Android then use this cookies to determine if the user is successfully login. However, in the end we didn't do this, as the cookie information maybe hard to manage in mobile device. In the end we create a separate protection scheme for the rails server, if the android send user/password, rails server would validate, if sucessfully, we will insert a encrypted token into the database that contains user name and token. For subsequent request, the android device must send token to rails server, if the token is valid and can be found in db, the validation passed,and we will return data.
Good thing about this is it is easier to manage users. E.g. you can easily manage how many concurrent loggin you allow for the user. Or even better if needed, you can kick out some users without touching the android apps. Not quite sure if this fits your questions. Just to share.
Related
My mobile app does some API calls during usage and some of them should not be possible from anywhere else (e.g. postman)
For instance if you have a database table user and a column membership and the app-user does an in-app-purchase an API call is made to update that row and change the column from e.g. standard to premium
Now in theory if someone knows the URL and sends an HTTPS request he could upgrade himself without purchasing anything. I am researching for a while now but feel a bit lost. There is no registration or login. I use the unique hardware ID of the users devices as a primary key to store everything in the database. I thought about something like:
When the user opens the app a request is send and the server responds with a randomly generated key
All requests the user makes have to use that key which I would send in the header otherwise it gets rejected
Is this the only thing I can do? What is the best practice for a mobile app that does not use any kind of registration?
If it matters I used flutter for the app and flask for the backend that is connected with a postgres database
edit: I am using HTTPS everywhere not HTTP
If the api is open as you have described in the architecture then there is no way this can be achieved without having a login mechanism like OAuth or one of those provided by Google Login or Facebook Login. You will have to provide a way for client device to tell you who are you talking with.
Else you can hide this api behind a closed network so that only server can call this api which will only do so after a successful response from the payment gateway. That way you can enable the hit to come only from the specific server ip address.
Also the fact that you want HTTP instead of HTTPS makes this very vulnerable to a number of attacks.
I have a background in web development but I am very new to the mobile world. So, I'm not sure how to proceed with this situation:
The user login in the app
The credentials are sent to the server through a POST request.
If the response is ok, it redirects to the main activity.
Now, I want to know if I have to keep the user's ID or not. I know that when we are using a browser the server saves a "session" so the client doesn't need to send the ID everytime to request data. Is that also true with mobile apps (Android)?
By the way, I'm also responsible for building the REST API but don't have any experience targeting mobile devices.
Big question to answer, and it depends and not sure what server technology you are using. However I can describe an approach I implemented (.Net background).
It seems you are writing a mobile app?
The mobile app would first make an authentication call passing id and password to your login api, over https of course. Often the url would be something like
//yourwebsite/Account/Token
Your api would validate the user and if ok, issue a bearer token.
The mobile app needs to remember this token and on subsequent calls pass this in the request header. That's how the server will know who this is. You don't need to send the user id and password any more. And there may be a strong security argument for not storing the user id and password on the mobile device at all.
Now, your server code will validate the token, and you will know who and what the user can do. The token typically expires, so any mobile client needs to check for this and re-authenticate to get a fresh token.
But how will the server know this token, who it belongs to?
In an MVC world for example, there's framework code to help here. There's plenty of MVC template code. If you happen to be developing .Net api services, see this http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
If you are not .Net on the server, I'm sure there will be something else to help you along the same principals.
As for developing RESTful API's, ServiceStack is seriously worth considering. If too expensive, at least consider their approach and roll your own (especially when it comes to versioning of your api's).
You misunderstand the case with browsers, therefore your conclusion is flawed. Let me explain: When you log in to a website using a web-browser, a session is saved indeed, but not only on the server. It is saved at the client-side as well. Whenever you send a request from there on to the server, you have to send that stored information as well, called cookie to identify yourself.
Let's think about this more deeply: How would a server identify your session as being your session without getting a cookie? By IP address? Nope, the IP address can be used by many and it might change. By browser session? Yes, by browser session, which includes the cookie as well.
Now that you understand that the session is saved by both the server and the client, you surely already know that you need the very same for mobile apps as well. The client logs in, therefore a cookie is generated for the client. This should be difficult to guess. From there on, the client uses the server using the cookie created for it.
If you do not believe me, visit a website where you are not logged in, and then run console.log(document.cookie);, log in, then run console.log(document.cookie) again, then log out andd run console.log(document.cookie) again.
We have a working website and now developing android application. Some API calls are public however some api calls requires valid user. One server side it is being maintained through sessions and cookies. How can I communicate with server securely from app. I want that user login once until user press logout or uninstall the app. I don't want to store user username and password in app because it can be easily access by anyone if device is rooted and also I don't have password if user is using facebook login method. What should I do to in app and on server side to make it secure and easy. I think apps like facebook etc use those type of approaches in their apps which I am searching.
I have done research on this and found only that I should use static HttpClient.
I am using volley library for network calls because it suites me.
You use a token. When the user logs in (over an HTTPS webservice), he sends up his username and password. The server stores that in a database and returns a token, just like a cookie would. All future requests from the app to the webservice should be done over HTTPS and should have that token as one of the parameters. The server can then lookup who it assigned that token to in its database, and send the user the appropriate data. If the token isn't there or isn't in the db, you return an error. When the user logs out, you delete the token from the DB.
The token number space needs to be big enough that a random token can't be guessed. Using a second piece of data on each request (such as user name, or something identifying the phone such as ANDROID_ID) would help prevent guessing attacks. And of course if you get repeated requests from someone with bad tokens you should treat that as an attack, just like you would with bad cookies.
Lets say there is a website that doesn't provide an api service. However, a legitimate android app wants to provide a useful service. So first they ask the user to create an account on that website. Then once the user is logged in, they would be able to perform certain functions like "liking" a post, or commenting on stuff, right from the app. But obviously a CSRF token is used for all form submissions. So are android apps capable of grabbing this token? If not is there a way to ask a user for permission to grab it? Also if the same app was made for iOS would the functionality work the same?
Thanks.
Assuming the app makes the login request on behalf of the user and stores the authentication cookies for use in the subsequent requests, then yes.
A GET request would need to be made to the web page with the form on it, the CSRF token parsed and then a POST request would be made passing all the required parameters (including token).
Yes this could be done with iOS too.
I have a Java based web application which is developed using JSP/Servlets running on Tomcat server. This application is developed for customer support. A customer can directly login to the application with his credentials and raise any complaints reg. a specific product. He can also view all the complaints he has raised and their status. Also he can add comments to the complaints and also close them when he desires to.
Now I would like to develop an Android app where a customer can login with his credentials and do same operations as he used to do in the above said web application.
I have basic knowledge on Android and good amount of knowledge in Java. Can someone help me with some guidelines or sample source code to develop such kind of application. In particular after authenticating a customer with his credentials from an Android activity by sending HTTP request to the web application, how do we keep track of the session for that customer in order to display him the complaints raised by him or allowing him to add comments to his complaints in next activities (screens). To put it simple how to maintain sessions?
Thanks,
You question is pretty specific to your application. How you maintain a session with the server is pretty much up to you, but you can think of it as implementing the relationship between a web browser and a web server.
After your user logs in, the client should receive some kind of token from the server (similar to a cookie). All subsequent requests will pass along that token to authorize the user, so you'll have to persist it on the device. Your server will have a mapping of tokens to users.
I would recommend looking into OAUTH2 and maybe taking a look at some well used APIs like Twitter and Foursquare for some ideas about best practices.