I am trying to implement app links into my app to make sure that other malicious apps cannot register for my URL.
I read the guide on app links here https://developer.android.com/training/app-links/verify-site-associations.html and I have mostly understood it. But one thing which is not clear to me is how can I prevent malicious apps from receiving my domain links if my app is not installed.
Consider this scenario.
1. My app is not installed on the user's device
2. Some malicious app is and it knows the URL that my app handles
Wouldn't this launch the malicious app and it can intercept my URL if the user selects that app from the disambiguation dialog? Is there any way to prevent it?
I understand that android:autoVerify="true" will trigger the domain verification when the app is installed, but what if the app is not installed?
Whether the user has the app installed or not, the "illegal" app won't be able to handle your links since it has not access to your domain in order to save there the needed JSON file. Am I clear?
There is a JSON file that is required during App Link configuration, that has to be uploaded to your server (that includes your app ID), through which your web-app basically says to the Android OS 'this is my counterpart on Android devices, I authorise it to handle these URLs'. Since app IDs are unique, there is no way another app can meet those conditions.
To quote the docs:
An Android App Link is a deep link based on your website URL that has
been verified to belong to your website.
So, although an app may register an <intent-filter> it ALSO has to be verified by the website whose URL it's trying to handle. And this happens on the server, so, out of the reach of a mobile client.
See also HERE for a more detailed explanation.
Related
When I click on a link within my WebView, it behaves as expected - it opens the link within the WebView.
However, if an app can handle that link, I would like to open that app instead. For example, if I tap on a Twitter link, I would like it to open Twitter, else open in-app.
This is how Google Chrome on Android behaves. This is also how WKWebView, the iOS equivalent of WebView, also behaves.
How would I go about implementing that? I have attempted to implement the solutions here but now my app always wants to open the system browser.
Deep Links as handled by OS itself. You just need to implement it properly. For example, in Android if you want to open the following url
http://twitter.com/intent/tweet?text=YOUR_TEXT
it will open the twitter app if the app is installed in your phone. Otherwise it will be opened in your browser.
But in case of iOS you have to specify the URL Scheme for opening in another app. Check the following url
twitter://post?message=YOUR_MSG
So when implementing this SO answer, you should also consider about the URL Schemes.
You should also keep in mind that webview in the application are implemented so that you don't have to open the browser app and no urls are exposed. If you want to open another app, you must consider opening the url in browser from your app so that OS can handle the rest.
Is there a way to authenticate a java desktop application with Slack using OAuth2? I am trying to follow Slack's guide.
I am getting stuck because it says you get the access token inside of the redirect uri of your application. But since the app I am making does not exist inside of the web browser, is there anyway I can do this?
Can my java application launch a localhost site that it can communicate with to use as the redirect uri? If so, how?
Desktop app as internal integration
Before we get into more details please note that there is an easy solution if you plan to use your desktop app for your own Slack workspace ONLY. In that case your app does not need to support the full Oauth work flow and you have two options:
Install your app as internal integration via the management page
of your Slack app and then copy & paste the token to your desktop app
Create a legacy token for your Slack workspace and then copy & paste to your desk (not recommended)
I also like to clarify upfront that your app only needs to run the Oauth process ONCE for installing it into a new Slack workspace. The resulting token has no expiration date and has not to be refrehed.
Desktop app for multiple Slack workspaces
If you plan to distribute your desktop app to multiple Slack workspaces you will need to support the full Oauth installation process.
Slack is using Oauth 2.0, so in principle all the standard answers from this older Oauth wiki article should work for Slack too.
However, since you can not assume that the local machines of your users are reachable from the Internet (e.g. redirecting back to a local web server will not work, since Slack will most likely not be able to reach it), you will need a web helper app that runs on a web server and is reachable from the Internet.
This web helper app is basically a small web site, which performs the complete Oauth dance for the installation process into a new Slack workspace. You app can open a browser window and redirect to the web helper app to start the login process. You then have two basic approaches how to handle the connect back to your desktop app:
Show the resulting token to the user and ask him to copy & paste it
to your desktop app (simple approach)
Store the resulting token in your web helper app and provide an API to your desktop app to fetch it automatically. (user-friendly approach)
If you are looking for a starting point for such a web helper app, take a look at this example PHP script for installing Slack apps.
Hi I have developed an web application using google app engine, for google shared domain contact, Its working fine when I am running it in the localhost but when I deploy that application into google app engine it showing warning screen before user conforming for consent(as shown in the image).
I am using 2 scope http://www.google.com/m8/feeds/contacts/ and https://www.googleapis.com/auth/userinfo.email. when I try to add a user information in the google shared contact I am getting a exception message as www.google.com. How can I resolve the problem? am i need to verify my application in the oauth_app_verification. Can any one solve this?
Thank you.,
You need to go through the verification process before you launch your app. This new process came recently to protect user's data. You can start the verification by submitting this form but before it is recommended to follow steps here
I am trying to add some information from Steam into my Android app.
I see that Steam has Steamworks, but that is only built for Windows, OSX and Linux.
Furthermore, I saw that they also have a Web API that could also be accessed from a mobile application. But all the methods in the API require a 64 bit SteamID, which they say can be retrieved using OpenID. I downloaded the Google Oauth Client Library for JAVA but I reading through the documentation, I don't understand how I can get a SteamID for a user using this library.
Has anyone used this lib or another open source lib to get a SteamID?
UPDATE
To get direct SteamID64.
Login to Steam using a web broswer.
Once logged click on your profile and add ?xml=1 to browser url address
http://steamcommunity.com/id/yourusername/?xml=1 or
http://steamcommunity.com/profiles/yourprofilenumber/?xml=1 (if you have not set a public username yet)
I think this is number in profile link or steamID64 example: http://steamcommunity.com/profiles/76561198113616635
Steamid will be: 76561198113616635
To check it online you can go to https://steamid.io/lookup
In Android app, I think after authorize, steam will give you that number and key.
I've been thinking about implementing of Google Play licence check on my Java server. Is that even possible? I haven't been able to find anything on this matter. I know Android LVL is written in Java, but I'm not sure if it can run outside of dalvik machine. Is there a posibillty of checking Google account name or some kind of device ID against Google Play to check whether an app has been bought in a Java server application?
The answer above is simply verifying response data (returned by google LVL on android device) on app server.
I think the question is asking if it's possible to call some google web API to do Google Play license check on its app server. But it seems like google doesn't open the web API interface to its licensing server, all LVL calls need to be done using its google play service framework on android device.
Yes it's possible, the java sources are out there and could be downloaded (and afaik, the jar is not dexed until you compile your application) - see some kind of manual over there at developers.android.com to read about how to get the sources
I've heard about a PHP project trying to attempt it, but using java should be no problem at all - you do the same things on the server, the manuals state for the client - and let the client sends the encrypted response from the market directly to the server via SSL (e.g. byte[] post)
You should get a UID from ResponseData.userId
Read some more in this blog post and more info and links in another SO answer