According to the Google Drive SDK documentation you need to register your custom application with your Google account to obtain a client-id and client-secret information. You can then use these to build the link for your users to obtain access/refresh tokens.
According to some introductory guides on oAuth I've read, the client-secret information should be kept secretly in some cases and in some not. I'm building a Maven plugin in Java and it seems that you can hardly keep the value secret in this case.
Is it ok to release my code as open source including the client-secret information? Or does it mean a potential risk for me? And if it's not ok then how can I allow other people to use the plugin without disclosing the client-secret value?
See Google's documentation on OAuth 2.0 for Installed Applications:
The Google OAuth 2.0 endpoint supports applications that are installed on a device (e.g. Mobile, Mac, PC). These applications are distributed to individual machines, and it is assumed that these applications cannot keep secrets.
You should be fine releasing the secret. The only risk is that some rogue user "burns up" all your quota. Per-user quotas may help mitigate this issue if it arises.
It depends what you’re releasing. If you’re making a library that other people are going to use to build apps then no, they should register & use their own client secrets for their own apps.
If you have an app that you’re releasing and also want to post the source code because you're a good citizen, I’d also leave the client secret out of the posted source code; people who want their own versions of the apps should register their own clients.
Of course, anything that's compiled into a mobile app isn't really much of a secret any more, because mobile devices can't keep secrets.
Release the code without the tokens and explain how those using your code can get their own.
Otherwise people might abuse yours or copy them for other projects.
Otherwise you can burn your quotas and also if it gets copied into other apps, those will appear as yours ehen the permission dialog pops up to the user (with your app name and logo)
Related
So I'll start from the beginning. I want to create an Android application and a server (written in java). The server will be written in Java. What I want to do is to be able to log in to my server from the Android application, using the Google account. After the device is logged in, there will be some information sharing with HTTP Requests. I want to use REST.
How should I proceed for achieving my goal? I guess I should use the Google API and Google App Engine. What should I do to implement the log in and the part in the server. It's first time for me writing a server and an application with log in, so any advises will be appreciated. The application is for educational purposes. Thanks in advance!
I would really suggest you give Google App Engine a try, specially combining it with Cloud endpoints which are designed to connect your server to clients like an Android App. Using endpoints you'll get cloud infrastructure + REST services + native libraries ( for Android, JS and iOS) and everything related to authentication is already sorted out (via OAuth).
App Engine can also be developed using Java and it's already integrated with popular IDEs like Eclipse (through the Google Plugin) and Android Studio (as backend modules) so you prbably have everything you need to star working on your App Engine server.
Use Google Play services (you don't need App Engine).
Here is the complete process with code samples: Authorizing with Google for REST APIs
Another option you can look at: Google+ Sign-in for Android
On the server side, once you have the auth token, you access the Google REST API with the username and token, and Google will tell you if the access is authorized.
I understand what you're trying to do. Your user already has a username and credentials on Google, why not just get the username and let Google do all the authentication?
However, you might want to re-think this approach.
The problem is that you will ask your user to sign in to Google and Google will ask the user (through logic in the Android API code) if your application can have access to their information in Google. Your users may balk at granting that kind of access to your application, and that will hamper your efforts to get people to use your app.
Now, if your app actually uses the Google REST APIs, then this would make more sense, because the auth token your app requests will provide access to a Google API.
But if all you're doing is authenticating, your users might be hesitant to authorize your app for some Google operation they don't think you need.
To get a feel for the OAuth 2.0 message flow, you can use this: OAuth 2.0 Playground
I'm developing an android application and i have integrated Linkedin into my app for authentication by using this link
http://www.theappguruz.com/blog/android-linkedin-connectivity-code-sample/.
I want to know user's connections(friends/associates) in Linkedin who have installed my app i,e user's Linkedin connections who have downloaded my app.Is there any way to achieve this?
Thanks in advance for any help
I believe most of the time this task is done on the application side from scratch (It was called autodiscovery in our project).
So basically what you need is connection management for the User. Simplest possible solutions:
App based User connection management.
In this case you need to have some distributed Key-Value store available to your Android application (Some Redis host for example).
The simplest workflow in this case
Populate key-value - like linkedIn_ID -> your_application_id on LinkedIn API authorisation.
Find connected users for your Application, querying by connection LinkedIn_ID.
Server based User connection management
The same thing, but introducing separate API on your server.
In both cases, take in consideration new connections, that might appear after some time.
I've been thinking about implementing of Google Play licence check on my Java server. Is that even possible? I haven't been able to find anything on this matter. I know Android LVL is written in Java, but I'm not sure if it can run outside of dalvik machine. Is there a posibillty of checking Google account name or some kind of device ID against Google Play to check whether an app has been bought in a Java server application?
The answer above is simply verifying response data (returned by google LVL on android device) on app server.
I think the question is asking if it's possible to call some google web API to do Google Play license check on its app server. But it seems like google doesn't open the web API interface to its licensing server, all LVL calls need to be done using its google play service framework on android device.
Yes it's possible, the java sources are out there and could be downloaded (and afaik, the jar is not dexed until you compile your application) - see some kind of manual over there at developers.android.com to read about how to get the sources
I've heard about a PHP project trying to attempt it, but using java should be no problem at all - you do the same things on the server, the manuals state for the client - and let the client sends the encrypted response from the market directly to the server via SSL (e.g. byte[] post)
You should get a UID from ResponseData.userId
Read some more in this blog post and more info and links in another SO answer
I'm looking for a method to access Google Talk chat history. Method to be used for an android device but does not have to be specific to it. I am looking for preferably an official method, but this is not required. AFAIK there is no official method. The method must pecifically not,
Through IMAP (requires chat and label to be enabled)
Through Talk.apk's ContentResolver (requires that the talk.apk be installed)
unless it somehow bypasses the problems listed after the methods above.
Googles different Google Talk applications are able to do chat history but there is no documentation that im aware of to how this works.
Google Apps Script has a getChatThreads() API Call.
You're going to face issues with any of these methods. I think the best (of the bad) solutions is to use IMAP and include steps for enabling the Chat label to be accessed via IMAP. One nice thing about OAuth 2.0 Gmail IMAP authentication is that it doesn't depend on the user turning IMAP on in GMail, it just works regardless of the user's IMAP setting.
I've been working on an Android App that has already been published to Google Play. For the next update (versionCode = 3) my client wants to include the LVL licensing scheme.
The first thing I did was set up a static test response from the licensing server. I set the test response to LICENSED. After reading this in the documentation:
This License Test Response will be sent to devices using [my email address]
or the Test Accounts listed above for applications you have uploaded to Google Play. >Additionally, this account (but not the Test Accounts) will receive this response for >applications that have not yet been uploaded to Google Play.
I thought, not a problem, since my developer account email is the same as my Google Play account email on my testing devices. So I should receive the test response when debugging the App.
After that, I read through all the other licensing documentation and sample code and integrated it into the App. I used a ServerManagedPolicy with the correct base64 public key and 20 random generated bytes as the salt.
Once everything looked good I uploaded it to the device to test it, but instead of receiving the LICENSED response that I expected, I am always receiving a NOT_LICENSED response. I went back and made sure that:
I was connected to the internet.
I was signed in to my developer account on Google Play.
The LicenseChecker was using the correct public key.
Clearing my Google Play cache.
At first, I thought maybe it had something to do with the caching, so I tried using a StrictPolicy instead. Same response. Since I haven't purchased the App from the store, I'm under the impression that the licensing server is responding normally instead of sending the static test response. Here are some other things I have tried:
Waiting 24 hours and trying again.
Tried building the App with the android debug key, as well as the current distribution key.
Setting up and using a different test user account on Google Play. I made sure to add this email account to the 'Test accounts' section in the developer console.
Uploading the APK to Google Play, but not publishing it.
Incrementing the versionCode from 2 to 3. This is interesting, because instead of responding NOT_LICENSED it returns the 'application error code' ERROR_NOT_MARKET_MANAGED.
This leads me to believe that the license server is always responding normally, instead of sending the static test response I set up to my developer account. I have a feeling it may be because the App is already published, but I cannot risk publishing a debug build just to test wether or not it is working.
Has anyone been in this situation before? Any help is greatly appreciated.
I had the same issue but was able to resolve it. Here are the things I did to fix:
1) on my device, I removed all google accounts except the test account I had configured for. Apparently, play store was still trying to use a non testing account.
2) I had to activate test status for my developer account even though I'm the main developer and only tester.
the version increment thing did not help and honestly was a distraction.....
I've spent hours and even days with the same problem, it is documented here and elsewhere, that pre-published license test is hit and miss, and more miss than hit from what I discovered.
The only way I've found to make it work "more reliably" (but still not totally reliable) is to have a hardware device that is a reset to factory defaults, then set it's PRIMARY google user as the same one as your dev account that has the app uploaded to test with.
The special AVDs are also not very reliable.
I have the same problem when testing using LVL library. I always get the 561 (0x231 NOT_LICENSED) response no matter what I set the License Test Response to in the settings page.
My paid app users don't seem to complain so I'm assuming LVL is working for them.
At first one of my apps had this problem and it went away after 1 day (published Dec 30 2012), now I get valid test response in that app.
However, I still get the 561 (0x231 NOT_LICENSED) response for a newer app (published Jan 31 2013)
So now I just comment out (disable the alert dialog code that pops up for 561) after I publish the APK and continue my development for the next release.
I un-comment (enable the alert dialog code) before I publish again!
I contacted Google Play, they referred me to their developer forums. I posted the same question there but then I can't find my post.
Good to know that I'm not the only one facing this problem.
Not sure I am adding anything new but having similar problems and frustrations at what-should-be-happening vs what-is-happening I'll offer up this which seemed to work: 1) remove all of the users in the Play Console's license testing list of users; 2) whatever device you are testing remove all of the Google accounts; 3) on that same device create a new, unique Google account (e.g., iamalicensetester#gmail.com); 4) add that Google account to the Play Console license testing list of users.
What I think might be happening is that if you have more than one account on a device and one of them is licensed then a non-licensed account of that same device (or other devices) will inherit that characteristic. This idea of mine is just a model (all models are wrong, but some are useful) to (mostly) allow me to get back to the work of testing...and (partially) to have some way to explain this nonsense to myself.
I did try most of the things mentioned above...clearing the cache, the storage, etc. -- you'd think that Google would want a better facility with dashboarding but don't know if that is even on their radar. I mean, revenue, right?