I'm developing an android banking app and want users to stay logged in even after app is shut down. My idea to make this as secure as possible was to store a unique device id in the JWT and then extract the id from the token and compare it to the device id fetched from device at startup of app.
I would store the token in SharedPreferences, however, I just read that these device id's are not always unique due to people rooting they're phones. What would be the best solution? How can I be sure that the token I'm verifying at startup, is given to that user/device? I don't necessarily need to use device id's so any other secure option is welcome.
I don't think it's a good idea to have a persistable login session inside something as sensitive as banking app, but if you insist:
Use SafetyNet Attestation API for checking if the device you're running your app on is rooted and if it is, prevent the user from interacting. Once you did that just use regular SharedPreferences with Mode.PRIVATE and no one should be able to read this data outside of your app.
Related
When user clear app data it automatically logout but he still get firebase cloud messaging i want to stop sending notifications after user clear app data .
Firebase Cloud Messaging has no concept of users and/or their authentication state, so if your app behavior depends on those it is because you have made a mapping.
For example, it is common to associate the FCM device tokens with the UID of Firebase Authentication, and then look up the FCM device tokens when you want to send a message to that user. If that is indeed what your application does, you'll need to clear that association when the user signs out to stop sending of messages through FCM.
For example, you could check if a specific, known value still exists in the app data every time that your app becomes active, and clear the FCM mapping if that is not the case. Also see:
How to check if clear cache was done by user in android?
Android: How to get notified if the user clears application data from Settings -> Applications Manager
How do we know when our application data get cleared in android?
The company that I work for has some small android applications running that communicate with their ERP software lately they requested to authenticate users and have sessions for safety reasons
Instead of integrating the autheticate and session code into every app (6) I want to build an Android app that acts like a dashboard. The app will authenticate the user, create a session and show the available apps on the device that the user can access with their user role.
The problem is I need the know which app requires which user role
I don't want to store this information in the dashboard app sinds that will require me to update the dashboard app each time i create or change an app
I was thinking or using an Content provider but that seems to be a lot of work and redundant since it has to be integrated into every app that I have (6)
So my question, is there a way to get data from apps that can easily be implemented. The data isn't big (only one Integer)
thanks in advance.
I have a restaurant app showing profiles of the chefs we got...
I set a Firebase database where users can rate each chef..
yet I want to get a unique id for each installation of the app which is persistent with time, so that a user can re-submit a rate for a chef yet he's contributing to the whole rate only once..
is there such an id ?
is there a better way to do so?
thanks in advance, great people..
If your users sign in with Firebase Authentication, you'd typically use their UID for this purpose.
That would prevent them from rating the same check multiple times, even if they use the same app on multiple devices, or reinstall it on the same device.
If you're not (yet) using Firebase Authentication, I'd recommend adding it for this use-case anyway. You can use it without requiring your users to sign in, by using anonymous authentication. This is as simple as calling:
FirebaseAuth.getInstance().signInAnonymously();
But follow the instructions in the documentation to ensure you don't create a new UID every time the app runs.
I have a project in mind, but i was hoping i could get some insight.
Would it be possible to have a page allow access to my phone, or a co workers phone or laptop or device, but refuse any other device to gain access to this page.
The idea of this project is through QR codes, for example,
If i generate a QR code, to access a list of lets say, inventory. i would like my phone, or my co workers phone to gain access to it, but if say my brother or someone outside trys the code and gets sent to this specific page(s), it doesn't allow it to happen because the phone ID or tablet ID is not in the list to gain access.
It would be difficult to create a login page and enable QR codes, because you cannot implement the login information in the QR code because then the security would be irrelevant.
Any suggestions??
Your page could restrict access based on the originating IP address. The feasibility of such a system would depend on a number of parameters, such as whether you are connecting over wifi or cellular, in the case of wifi - whether you trust the wifi network, in the case of cellular - how often the cell provider changes your address.
A better solution might be to use a custom URI scheme and a custom app installed on only the phones and tablets that you want to have access. When the device scans the QR code, the app would handle the request, and then log in to the web site over HTTPS with proper authentication. e.g.
QR code: my.app://blah/blah
App handles URL, logs into server, redirects to https://my.site/blah/blah
Why not use identity certificates? Sign your message (QR Code) with the corresponding private key and validate for scanner's Identity, Trust and Message integrity.
I am want to do registration in my app. So i have made all requests to my web service.
I now when user is registered.
Now i need to save somewhere that he is registered that don't give him registration form again.
How to do this ?
Do i need to save somewhere in my sqlite database and every time when app lunches check if he is registered user. Or maybe in app settings i could save this information.
I am new to developing android app and i am searching for the right way.
Thanks all for help.
You could save that with SharedPreferences. Check the link for sample code.
http://developer.android.com/guide/topics/data/data-storage.html#pref.
This data will be removed if the users uninstalls the app or clears all data from system menu.
Edit: If you really want to remember preferences across installs you should try Backup API. http://developer.android.com/guide/topics/data/backup.html
The best solution is to use Android's Account Manager to handle user account. This aproach is the most secure (credentials are not exposed), however it has two drawbacks:
It's a little bit complocated to set up
It requires at least API version 5
Once the user registered you can save in your sqlite database and you have to check for each time when your application launches. But if the user uninstalled the application and tried to reinstall it ll ask for registration again.. In order to avoid this you have to store the information like the device id and the registered details in some servers and also in sqlite database and have to check when the application launches...