I have to send an email from IntentService. My data is mostly the backup from a phone. I am using smtp.google.com + javamail.I can use a gmail account and send data through it.(http://www.oracle.com/technetwork/java/javamail/faq/index.html#gmail):
From my point of view the problem with this approach is that my app uses the gmail account and sends data via my account. All personal data would go through one my account. Question#1 - Is it a good approach to do it?
The gmail api uses OAuth 2.0. And I have to store my client ID in some place of my program. I read that it is impossible to restore login/password from it. This token has validity. Question#2 Is it possible to use this token for reading or deleting something from gmail account until it is valid?
For all examples of my app would be the same gmail account. This think bothers me sometimes, because if something happens with gmail account I will not be able to do anything.
Question#3 Is it worth to use services like https://www.mailgun.com/ or maybe to create at least another gmail account and to use them both?
Only if you're the only one using your app.
Yes.
Email is probably not the right solution to your problem. But without knowing more about the problem you're trying to solve and what your requirements are, it's hard to know what to suggest instead.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
Is it bad if I shared with the ones developing my website my Facebook client id and secret id so that they can create the Facebook logged in button?
He also asked me for all these other information and I gave it all to him to create the Facebook, Instagram, and Twitter logged in button on my website. I also gave him the ones for google.
INSTAGRAM
Client_name
Client ID
Client Secret
Client Status
Website
Description
FACEBOOK
App_id
App_secret
App_page_id
TWITTER
Consumer_key
Consumer_secret
In short: No
This is a question the answer of which depends heavily on the circumstances and kind of setup you have, but in short these days its not a good idea as its easy to avoid the need to share these secrets.
The IDs are normally public so there is no harm in sharing that, but the secret keys should be entered directly into server's (or app service) environment settings if you can manage them yourself. Different hostings have different ways to enable this, consult your hosting provider and developer team to guide you.
When its fine
If you are not technical yourself, don't want to go through the hassle of managing access to your server, find it hard to learn and trust your developers greatly then its fine and they would need it to do actual deployment.
Remember, while they are developing and testing the website/service they can use temporary app-id and secret keys that they themselves can get in most of the cases.
Follow up questions:
Q. If I go to the settings and ask for a new secret key for all of these social services, will it affect the programming of the developers and create a problem or will it be fine since the client id is good enough for the job?
Answer Yes if you reset the secret keys the service would fail and would require the new keys to be configured on the server. There are tons of guidelines on each of Facebook, Google, Instagram developer pages that you can read on this topic and are pretty easy.
Q. Can they get inside my Facebook, Instagram, etc if they have the secret Id?
Answer No the keys are for the app/service to allow your website request user's information who allow your app, not for accessing your account.
Q. Please tell me whats the worst thing that can happen with the secret after sharing it with the developers if they do something wrong with it?
Answer Its basically a security risk. One of the worst things, IMO, that can happen is that they commit it into an open code repository or implement it in the wrong way so its accessible to anyone easily. That would allow attackers/hackers to get your app users to believe they are giving access to their requested data to your app (by using your app id and secret) in their attacks. But again this is heavily based on how careless the developers are, if they are good they would work to keep it secure. Ask them in your next meeting how they are using it and how it will be secure from other people copying it. Chances are they are good people and have taken this into consideration and would also explain it to you.
Not a duplicate
I want to sent email without using any default email app so I searched a little bit and I stumbled upon this solution using JavaMail API -
Sending Email in Android using JavaMail API without using the default/built-in app
But I have few issues with this solution -
I don't want to use static username and password. Instead of that I want to use user's email ID. But it'll not be a good design if I directly ask user to enter his or her password.
So, how can I achieve this in a better way. Sorry, if this sounds too broad. Just looking for ideas not actual code.
Please, take a look at the Gmail API Android Quickstart guide. You'll be able to get the account credentials from Google Play Services and authenticate your user with OAuth2 by prompting an account selection
Instead of that I want to use user's email ID
As Gabe indicated, there is no "user's email ID" in Android. Beyond that, an "email ID" is insufficient for sending an email. You would have to ask the user both for all their email account information (username, password, SMTP server, etc.). Unless you are writing a full email client, hopefully nobody will give you this information.
how can I achieve this in a better way
Use ACTION_SEND or ACTION_SENDTO.
Or, send the email from your Web server, where your app tells the Web server what message to send via a Web service API that you implement and adequately secure. Then, you can use your own email account credentials without having to bake them into the app.
Hi everybody,
well, here it is my problem.
I have a corporation gmail user, lets say developer-user#mycompany.com, and I would like to list all the gsheets I have in my gdriver trhough the google API for Java applications, so I generated the credentials I supposed to need:
the email, which was auto-created by google with a different domain,
in this case something like 1234567890#developer.gserviceaccount.com
then I created the p12 key file.
After that I tried the connection and everything ran fine, but It did not list the spread sheets I had, and I figured out that I can not list all the gsheets I had 'till I shared them with the 1234567890#developer.gserviceaccount.com mail/user, but the problem is that I can NOT share anything outside of the #mycompany.com domain, even though the email (1234567890#developer.gserviceaccount.com) created for the authentication is linked to my developer-user#mycompany.com account.
I am not sure if I was clear enough, but what I need is a solution for that. did someone figur out something? may you help me?
Anyway, thank you guys and I appreciate your time.
You'll have to ask your Google Apps Admin to enable sharing outside your domain on Google docs, that's the only way Drive will allow the service account to reach existing docs.
The only alternative is to recreate the docs using the service account (programatically) and share them with your account.
Your admin can delegate domain wide access to your app which will then be able to impersonate you.
Alternatively, don't use service accounts and simply generate a refresh token for your own account (which is by far the easiest solution).
As per this SO answer and other google search results, it seems that twitter has stopped supporting username and password based authentication to post updates. However to my surprise, when I downloaded this app, it amazed me as it simply allows me to send tweets using my username and password only, requiring no consumer key and consumer secrets. So how is that possible?
All the tutorial I went through after googling suggested that I need to register my app and use the access token for posting. This also requires entering some PIN if I use it in my app. What I want is that my app must allow the client to enter only username and password to post tweets. So how should I do that in java?
I would even welcome a solution which utilizes the above app only to post tweets.(e.g. using Runtime.getRuntime())
Also refer this unanswered SO question. This is similar to what I want to do. Only that I want to do it using desktop application.