I am very new to writing apps so please bear with me :)
I am writing an Android app that communicates with my server to send GET request and get some data from the server and show it to client (android app user).
API URL:
http://myserver.com/get.php
GET data/variables
api: my api key
extra GET variables
It'd be like:
http://myserver.com/get.php?api=XXXXXXXXXXXXXXXXXXX&extra=something&fields=here
So can an attacker see the API key by decoding the app with tools like apktool, smali etc? If yes then how can I secure it?
Note : the answer you are going to read are based on my experience and my research, feel free to comment if my information is wrong. Im not a network architect, but i have some experiences building web services, and did hours of research (because just like you, i dont understand about security at first). I hope this will help you.
Use POST, its safer than GET if you use REST.
Use HTTPS (i know its a little bit more expensive)
Use SOAP, instead of REST if you really need good security (ex : Banking Apps).
Use Dexguard/Proguard so your apps will be hard to reverse engineered.
Related
I want to accomplish this:
https://developers.google.com/games/services/web/serverlogin
with Java instead of javascript. I know the APIs exist for Java, as I already have a desktop application and an Android application that are able to login properly to Google, using Java APIs. Now I just need to figure out how to follow the process described above with regular Java.
This line is particularly annoying:
"If the auth object in my google-signin-callback already has an access token, can I send that to the server instead of performing this additional code-exchange step?
A: No. You should avoid sending access tokens to your server if at all possible. The "exchange a single-use code for an access token" strategy is much more secure and we highly recommend using that approach in your applications."
I have seen things that seem to contradict in several places, including on Google's guides. This seems like it would be the easiest way given what I have working, but I'd do it properly if I could figure out how in Java. I want to be able to access Google Play Games Services on the client side as well as the server side.
1) How do I get a single use token on the client side? (on android and desktop)
2) How do I exchange it on the server side?
Thanks
I've been looking around all morning, and can't seem to figure this one out. I know it's not as complicated as I think it is, and all I need is just some pointers to the right direction.
I have an Android application that takes some user input, sends it to a Java application over the web, and then receives some output based on the input.
My Android and Java applications are ready, but how do I go about sending and receiving the data over the web? I understand that I'll be sending and receiving HTTP requests, but my problem is where I'll be sending them and receiving them from. Do I host my Java application on a Servlet like Tomcat, or do I use something like OpenShift to host my application for me?
I have no trouble with sending some HTTP request from my Android application to the web and receiving some output back, but my problem is that my web service needs to use a Java library to process the input and generate the output. I'm just not sure how I'm supposed to get this data to and from this Java library that needs to be hosted on the web.
I hope my question makes any sense.
EDIT: Perhaps I wasn't clear with what exactly I need help with. I do realize that the architecture I use doesn't really make any difference, but the problem I have is with how I'm supposed to use this architecture.
Let's say I have a registered domain name that I can easily send to and receive data from using my Android application - no trouble with that. But how am I supposed to integrate my Java library with this server? Do I just create an applet and put it on my server? Does my web host even allow Java applets to run?
I guess my question is how I'm supposed to get through the "barrier" between my HTTP request / transport layer protocol and my Java application.
Server architecture usually does not matter. You can use Java, NodeJs, Rails, Python, .NET, etc. You just need an endpoint that accepts a HTTP POST/PUT/GET/DELETE/PATCH verb.
This is more a question of "how do I set up a server to accept input" and its a very large topic in itself. I would advise you look at PAAS solutions like:
Parse.com
Kinvey.com
You can use their tools to build a solution fairly quickly. If you need something custom you'll need to build your backend in the language of choice and host it online via AWS, Google Cloud, Heroku, a VPS or something similar.
I've had a look around and could not find what I'm looking for, so please feel free to redirect me.
I'm writing a card game that uses a Java server that stores the card information. I want to develop an Android app that connects to this server (via TCP/IP is my initial thought) and issues the commands i.e. pick up cards, play cards etc. (as the cards are stored in arraylists within the server app.)
My knowledge of Android is extremely limited and I cant find any good sources that could possibly help me, or explain how android networking works.
You need tcp server socket communication >
http://developer.android.com/reference/java/net/Socket.html
I would recommend to use a REST service and communicate via JSON. You can use for example Robospice in combination with Jackson2 which also brings you async communication and caching out of the box.
https://github.com/stephanenicolas/robospice/wiki/Starter-guide
Socket communication is really old school ;-)
I have a edittext wihch users can write something and post my server. I want to know how can I control the text include javascript , jquery or something else which has bad behavior ?
should I solve this android side or webservice side ? I use mvc 4.5 (I mean should I solve this c# side?)
thanks in advance
I think you should move it to the server side.
Why ? Because if someone want to do bad things with your backend, he can easily do it directly with his computer thus bypassing your android side content purification.
He just have to launch Wireshark on his PC (or use a proxy to do MITM if you use HTTPS or SSL), listen the conversation your Android app and your server are having and then use that information to build an attack with his computer.
A lot of APIs are not securised enough because people are still thinking that people can't access it outside the apps, it's wrong, they can.
A friend and I are currently working on a turn-based game with chat with both desktop browser and Android clients, with Google App Engine as the server.
We're using the Java API for GAE and using HTTP for communication with the server. We've implemented simple chat functionality, and we're getting undesirable latencies 1-3 seconds from both the browser and Android clients while just posting simple one-word chat messages.
My friend thought it would be best to use XMPP instead of HTTP, but we want to use a Google Accounts cookie for authentication from the Android client, and according to the GAE documentation, XMPP clients cannot use a Google Accounts cookie and must use the user's password.
Does anyone have any suggestions as to where the latency might be coming from, how to troubleshoot it, and/or what to do about it?
Also, is anyone aware of any opensource implementations of chat (or something similar) on GAE done in Java? Can't seem to find any.
One way to analyze the situation would be to use Wireshark to look at the network traffic during the delays.
You don't say how your chat messages are getting from one JVM to the other. If you're using the datastore, maybe try memcache?
Also, startup time is often an issue; app engine starts and stops JVMs all the time, particularly for a low-traffic app. A way to diagnose this is to reload the page a bunch of times (send more messages) and see if it gets faster after a while. It should be pretty easy to tell the difference in the admin console logs.