I have an android app and I want to allow a user to login using a verification code. I want to send the verification code in an SMS to the user's phone. What is the best solution to verify if the verification code matchs on the server side?
Is the creation of new table that contains verification codes a good idea?
Here are a couple ways to implement user verification on Android:
Some apps build it themselves with SMS / Voice APIs
Others use a verification specific API
With SMS / Voice APIs
You'll need to generate a code (huge security threat)
Send it via the channel you use primarily
Set some kind of time delay job (queue,worker, whatever)
Send a fallback message should you get no response
from the user
Nexmo’s Verify API
Instead of paying different fees for each country, Nexmo allows you to go globally with a simple API call for a flat fee of 10 cents per verification, NOT per attempt (unsuccessful attempts will not be charged towards your account)
Verification code should arrive to your phone as an SMS. If you wait a while, you'll also get a phone call, and the code will be read to you. The timing and channels used depends on the type of number, the country, and the carrier.
You can also use Verify's Android SDK, which enables you to build Verify into your Android app by simplifying this integration. After importing this library into your app, you will only need the user's phone number, while the SDK will take care of the remaining steps required to verify your users.
Take a look at Nexmo's Verify Android SDK here
Full disclosure, I work at Nexmo.
Related
I have to create a functionality where I must send same SMS text to multiple numbers in an array. For that I am using Notify API. As part of the requirement I created a Notify Service and Messaging Service with the existing number used for normal sms service and linked them up under my Trail Twilio Account.
Wrote the code, as present in the docs and tested over a API hit. The code executed successfully and on the twilio logs, it is coming as sent. But I am not able to receive any sms notification on the number provided.
Where am I going wrong??
If you are using a Twilio trial account, there are certain limitations. Can you look under your debugger (the bug icon in the upper right corner of your Twilio Console) to see if there any are any events?
Also, once you upgrade your account, verify SMS geographic permissions are set for the destinations you are trying to send messages to
Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.
They will not be able to use your GCM Sender ID to publish notifications.
Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.
Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.
However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.
I have a project in mind, but i was hoping i could get some insight.
Would it be possible to have a page allow access to my phone, or a co workers phone or laptop or device, but refuse any other device to gain access to this page.
The idea of this project is through QR codes, for example,
If i generate a QR code, to access a list of lets say, inventory. i would like my phone, or my co workers phone to gain access to it, but if say my brother or someone outside trys the code and gets sent to this specific page(s), it doesn't allow it to happen because the phone ID or tablet ID is not in the list to gain access.
It would be difficult to create a login page and enable QR codes, because you cannot implement the login information in the QR code because then the security would be irrelevant.
Any suggestions??
Your page could restrict access based on the originating IP address. The feasibility of such a system would depend on a number of parameters, such as whether you are connecting over wifi or cellular, in the case of wifi - whether you trust the wifi network, in the case of cellular - how often the cell provider changes your address.
A better solution might be to use a custom URI scheme and a custom app installed on only the phones and tablets that you want to have access. When the device scans the QR code, the app would handle the request, and then log in to the web site over HTTPS with proper authentication. e.g.
QR code: my.app://blah/blah
App handles URL, logs into server, redirects to https://my.site/blah/blah
Why not use identity certificates? Sign your message (QR Code) with the corresponding private key and validate for scanner's Identity, Trust and Message integrity.
I've been working on an Android App that has already been published to Google Play. For the next update (versionCode = 3) my client wants to include the LVL licensing scheme.
The first thing I did was set up a static test response from the licensing server. I set the test response to LICENSED. After reading this in the documentation:
This License Test Response will be sent to devices using [my email address]
or the Test Accounts listed above for applications you have uploaded to Google Play. >Additionally, this account (but not the Test Accounts) will receive this response for >applications that have not yet been uploaded to Google Play.
I thought, not a problem, since my developer account email is the same as my Google Play account email on my testing devices. So I should receive the test response when debugging the App.
After that, I read through all the other licensing documentation and sample code and integrated it into the App. I used a ServerManagedPolicy with the correct base64 public key and 20 random generated bytes as the salt.
Once everything looked good I uploaded it to the device to test it, but instead of receiving the LICENSED response that I expected, I am always receiving a NOT_LICENSED response. I went back and made sure that:
I was connected to the internet.
I was signed in to my developer account on Google Play.
The LicenseChecker was using the correct public key.
Clearing my Google Play cache.
At first, I thought maybe it had something to do with the caching, so I tried using a StrictPolicy instead. Same response. Since I haven't purchased the App from the store, I'm under the impression that the licensing server is responding normally instead of sending the static test response. Here are some other things I have tried:
Waiting 24 hours and trying again.
Tried building the App with the android debug key, as well as the current distribution key.
Setting up and using a different test user account on Google Play. I made sure to add this email account to the 'Test accounts' section in the developer console.
Uploading the APK to Google Play, but not publishing it.
Incrementing the versionCode from 2 to 3. This is interesting, because instead of responding NOT_LICENSED it returns the 'application error code' ERROR_NOT_MARKET_MANAGED.
This leads me to believe that the license server is always responding normally, instead of sending the static test response I set up to my developer account. I have a feeling it may be because the App is already published, but I cannot risk publishing a debug build just to test wether or not it is working.
Has anyone been in this situation before? Any help is greatly appreciated.
I had the same issue but was able to resolve it. Here are the things I did to fix:
1) on my device, I removed all google accounts except the test account I had configured for. Apparently, play store was still trying to use a non testing account.
2) I had to activate test status for my developer account even though I'm the main developer and only tester.
the version increment thing did not help and honestly was a distraction.....
I've spent hours and even days with the same problem, it is documented here and elsewhere, that pre-published license test is hit and miss, and more miss than hit from what I discovered.
The only way I've found to make it work "more reliably" (but still not totally reliable) is to have a hardware device that is a reset to factory defaults, then set it's PRIMARY google user as the same one as your dev account that has the app uploaded to test with.
The special AVDs are also not very reliable.
I have the same problem when testing using LVL library. I always get the 561 (0x231 NOT_LICENSED) response no matter what I set the License Test Response to in the settings page.
My paid app users don't seem to complain so I'm assuming LVL is working for them.
At first one of my apps had this problem and it went away after 1 day (published Dec 30 2012), now I get valid test response in that app.
However, I still get the 561 (0x231 NOT_LICENSED) response for a newer app (published Jan 31 2013)
So now I just comment out (disable the alert dialog code that pops up for 561) after I publish the APK and continue my development for the next release.
I un-comment (enable the alert dialog code) before I publish again!
I contacted Google Play, they referred me to their developer forums. I posted the same question there but then I can't find my post.
Good to know that I'm not the only one facing this problem.
Not sure I am adding anything new but having similar problems and frustrations at what-should-be-happening vs what-is-happening I'll offer up this which seemed to work: 1) remove all of the users in the Play Console's license testing list of users; 2) whatever device you are testing remove all of the Google accounts; 3) on that same device create a new, unique Google account (e.g., iamalicensetester#gmail.com); 4) add that Google account to the Play Console license testing list of users.
What I think might be happening is that if you have more than one account on a device and one of them is licensed then a non-licensed account of that same device (or other devices) will inherit that characteristic. This idea of mine is just a model (all models are wrong, but some are useful) to (mostly) allow me to get back to the work of testing...and (partially) to have some way to explain this nonsense to myself.
I did try most of the things mentioned above...clearing the cache, the storage, etc. -- you'd think that Google would want a better facility with dashboarding but don't know if that is even on their radar. I mean, revenue, right?
If I am developing an Android application, what is the most feasible way to get near real-time notifications about an incoming email? Is there a push-like mechanism, or can I hold my IMAP connection for a long time, or do I use IDLE command?
Consider that user is authorized to use GMail services via OAuth and I don't want to poll IMAP server madly.
Update:
I'm not using the phone's configured-in Google account. There is another account set up using OAuth.
I'm using Apache Commons Net to connect to IMAP/SMTP in my app. It's a bare-bone library for IMAP, but I can perhaps modify it to add IMAP commands/extensions.
You can register a ContentObserver with GMail, anytime something changes in GMail, the observer will be called.
contentResolver.registerContentObserver(Uri.parse("content://gmail-ls"), true, myContentObserver );
Override onChange in your ContentObserver to do stuff when something in GMail changes.
Since IMAP does natively provide any sort of push notifications and the Google extensions don't either, you have to implement it yourself.
One way is to use IDLE requests, which is still a cheap way to do polling. Of course, you can't expect your app to be running all the time, so you need to use a background service. An 'always-on' service is however an anti-pattern on Android and will drain the battery quickly and likely get you many 1-stars. Additionally the system may decide to kill it at any time. The other alternative is to use AlarmManager to start the service periodically, but starting it every couple of seconds or so is just as bad. So you are basically back to square one: polling.
The other way is to get push notifications using GCM or a similar service. This does require you to have a server, and the server needs to have the authentication info for the user (which might be a problem), but there are no real constraints concerning keeping open connections and sending IDLEs each second, etc. On the Android side, if you want to implement push yourself, you need to keep an open socket to get notifications. This is not very easy to do if you are not a system app (see above), so that leaves GCM. The connection it uses is manged by the system (Google Services framework), it can do things a regular app cannot, and you basically get it for free, since it's already there. It receives small pieces of data when there is something to do, called 'tickles'. Those in turn trigger broadcasts, Google Play updates, etc.
So, take your pick. Or just give up, register the account and use GMail and its labels Android API.
I'd check out Google Cloud Messaging (GCM):
http://developer.android.com/training/cloudsync/gcm.html
My understanding is that this works without requiring the user's Google account, and lets you handle authentication.
See a tutorial here:
http://www.techrepublic.com/blog/app-builder/implementing-googles-cloud-to-device-messaging/428
You would need additional server-side code running to do this though.