I am very new to writing apps so please bear with me!
I am writing an app that needs to communicate securely with a java server (under my control).
Firstly to login to the server, and then send data back and forth. What is the best way of doing this?
My first thoughts was to communicate to a webpage via ssl with the username and password. e.g. login.php with user=xxx and pass=zzz as posted variable. The site returns a random string and saves it in the database.
If the user then stays logged in, this string is saved on the app. This is then sent with every communication. e.g. set_temp.php with string=123456 and temp=20
This seemed easiest to complete, and I have done most of this.
Alternatively, my other thoughts was to go through a sockets approach and commumicate with the Java server directly. Would this be more secure? Is this even possible?
Or are there any other suggestions? How do the big apps like facebook and gmail secure data?
Thanks
Matt
Use SSL protocol. You can create API services on the server and communicate with them. To keep the user logged in use SessionID. Take a look at DefaultHttpClient() class.
I hope this is useful :)
I would use a webservice on your java machine to communicate with. All requests are via HTTPS and you can login the user via the webservice. Also I would add a time limit to the users loggedin session to ensure that he is logged out properly after some time limit.
Related
I am using asp.net web service with Android application for select and insert the data from MS-SQL Server.
I just want to web service only access by my Android application.
Because, web service is hosted on my private server and data is very secure. I am not want anyone can call my web service.
Any solution?
Make request in the POST request and use extra field to check for sender's. In this field you could use any secret key !
In your request, just put a SHA-1 key (e.g SHA1(Hard_coded_password_in_app_and_WS, unique_ID_stored_in_preference_and_in_data__base))
In your WS, just check if this parameter is ok, and then answer. It's not the best security ever, but it's quite easy to set up, and it will do the trick.
there are a few ways to do this (in my opinion):
if your app has user account involved, you can simply use user session to authenticate or the social logins eg. facebook
post request, with a header of a hashed key,
good read: https://weblogs.java.net/blog/gmurray71/archive/2006/08/restricting_acc.html
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
Application host: MVC3 and SQL Server
Mobile platform: Android
Please tell me if this is the complete wrong approach. I'm envisioning some sort of authentication process via an HTTP Post event. The result (if successful) is a session Id returned so the user can call other secure methods.
Note: The controllers, database and JSON responses are already working in a non-secure way today. I just need to add security.
If there is already a process for this please let me know. I don't want to reinvent the wheel.
Thank you for any help.
Just use AspNet FormsAuthentication. Will provide an encrypted cookie. Used with HTTPS is a solid secure base authentication.
I have created an Android app that communicates with a PHP web server. They both send JSON to each other. My app is almost finished, however there is one thing left to do: authentication.
Since the user's username and password will be stored in Android SharedPreferences, is there any need to use PHP sessions, given that the user won't need to enter the username/password at every request?
Since I can just send the username and password in the HTTP POST header for every request, and that I will be using SSL, is this sufficient? I guess I could add an extra field in the header called 'random' that just adds a random value, just to use as a salt so that the encrypted SSL payload will be different every time.
The reason why I don't want to use sessions is that my Android App would either have to handle cookies, or managed the storage of the session ID.
If there are some serious cons to using my method above, then I'm more than happy to use sessions.
Personally, I'm against sending the username and password in the request each time. One thing you could do is generate a unique ID when they log in, and store that in a database on your server, then just pass that instead of the username and password.
I think Google have given this a lot of thought, so doing something similar to what they do wouldn't be a bad idea. If you look at the way they do their
login process, i.e. https://accounts.google.com/o/oauth2/auth
and especially their
token freshining, i.e. https://accounts.google.com/o/oauth2/token
it might feel like overkill, but you might come away with some ideas that could be valuable to your own implementation.
EDIT: oops, almost forgot the documentation link: https://developers.google.com/accounts/docs/OAuth2
I believe that you will be fine with what you have now. As long as you make sure that the user info is securely transfered. The salt is a good idea. It really just depends on how secure you want it.
It is very bad practice to send account credentials in every request.
I think the better way to use Google OAuth2 API - it is VERY simple and safer than local accounts database. Have you considered that option?
I want to make a login application in Android.
Requirement of the project is to store user name and password for two days using cookie.
Is it possible to use cookies? If yes, then how? Can you give me the code?
Note: I can't use web view.
As a commenter already said, you aren't supposed to store password (even in encrypted form) in a cookie. What you can store is a session id. When user logs in the application, the application generates a session id for him/her, which will stay valid for two days. In every request that you make to the application, you add the session id as an HTTP header.
You can store the session id and the datetime it was issued in the preferences. When the user needs to make a new request to the application and the session hasn't expired, you can read the stored value.
If you are not looking to integrate this into the browser, then have a go at this.
If you look at the HTTP protocol, you can see that cookies are sent by the client in plain text in the request. This means you should have your application deliver them every time your request a page. This is not valid for local-only cookies, but I don't think that you're interested in these. If you want to set cookies from the server side, you will have to adapt your application to parse the response and look for cookies. (also HTTP protocol)
For a better view of the raw data you need to send or receive, you can monitor your traffic using Wireshark or a similar tool and see how the request/response look like.
I am currently working on a web-service that I need to implement on iPhone and this is my first idea of doing it. I haven't got to implement this yet (my web service is still not done) so there's not much more I can tell you at the moment.
Edit:
A useful page about this might be the Wikipedia HTTP Cookie page located here.
As Reno said, try to avoid storing the password in the cookie. Instead you should let the server generate a sessionID when logged in and let this ID expire on the Server after two days. SO you can login with the username and the sessionID you generated with logging in once.
I you want, you can store that sessionID in the cookie.