I have a project in mind, but i was hoping i could get some insight.
Would it be possible to have a page allow access to my phone, or a co workers phone or laptop or device, but refuse any other device to gain access to this page.
The idea of this project is through QR codes, for example,
If i generate a QR code, to access a list of lets say, inventory. i would like my phone, or my co workers phone to gain access to it, but if say my brother or someone outside trys the code and gets sent to this specific page(s), it doesn't allow it to happen because the phone ID or tablet ID is not in the list to gain access.
It would be difficult to create a login page and enable QR codes, because you cannot implement the login information in the QR code because then the security would be irrelevant.
Any suggestions??
Your page could restrict access based on the originating IP address. The feasibility of such a system would depend on a number of parameters, such as whether you are connecting over wifi or cellular, in the case of wifi - whether you trust the wifi network, in the case of cellular - how often the cell provider changes your address.
A better solution might be to use a custom URI scheme and a custom app installed on only the phones and tablets that you want to have access. When the device scans the QR code, the app would handle the request, and then log in to the web site over HTTPS with proper authentication. e.g.
QR code: my.app://blah/blah
App handles URL, logs into server, redirects to https://my.site/blah/blah
Why not use identity certificates? Sign your message (QR Code) with the corresponding private key and validate for scanner's Identity, Trust and Message integrity.
Related
I am trying to make a spring web application and it will be requested from multiple devices (e.g. Android phones and iPhones). I need to identify the device which sends a request in order to recognize it in a later stage. How am I to achieve that in java?
A sample scenario: User signs in using a Samsung A7 and another user signs in using an iPhone 8.
I need to track and store the actions by the device. I think I need the user of a device to log in every time in order to show all actions executed by this related device. I need to recognize the device for every request here and also I will need to show to the user all logged-in devices.
I have tried to achieve this with a mac address but I think it's not effective.
when type on cmd "ipconfig/all" the following list appear but which physical address should choose between all of them ??!!!!
and i try this java code to get mac address but a NullPointerException is occurred
InetAddress address = InetAddress.getByName(HttpRequestHelper.getRemoteAddress());
NetworkInterface ni = NetworkInterface.getByInetAddress(address);
byte[] mac = ni.getHardwareAddress();
Are you using a native app for mobile or yours is only a website?
Any way the only way is recognize user agents headers to know the device and you can use for example the device token push address that is mostly unique id.
If yours is only a website you can store the device with a generated id or random, save to your database and on browser cookies
I'm developing an android banking app and want users to stay logged in even after app is shut down. My idea to make this as secure as possible was to store a unique device id in the JWT and then extract the id from the token and compare it to the device id fetched from device at startup of app.
I would store the token in SharedPreferences, however, I just read that these device id's are not always unique due to people rooting they're phones. What would be the best solution? How can I be sure that the token I'm verifying at startup, is given to that user/device? I don't necessarily need to use device id's so any other secure option is welcome.
I don't think it's a good idea to have a persistable login session inside something as sensitive as banking app, but if you insist:
Use SafetyNet Attestation API for checking if the device you're running your app on is rooted and if it is, prevent the user from interacting. Once you did that just use regular SharedPreferences with Mode.PRIVATE and no one should be able to read this data outside of your app.
I've made a simple mailing app that takes in email credentials and uses it to send emails of certain kinds to selected addresses. Problem is, I've had to input the credentials right into the code, so anyone who uses dex2jar can get the source code and get the email used for forwarding and easily make the app obsolete.
I imagine I'm not the only one facing this issue, so what are some ways to make my code secure?
No matter how good of a technique you use to hide the credentials, if it's in the code then it can always be found.
Instead of hard coding them in, you could perhaps let the user specify them when he starts the app? If that can't be avoided you could instead have a remote service that will do the sending and forward your request to that.
You can not both connect to an e-mail account and keep those same users out of said e-mail account. Consider using a hosted server as part of the project to securely connect to the e-mail account from the server level and process these e-mails remotely.
I have an android app and I want to allow a user to login using a verification code. I want to send the verification code in an SMS to the user's phone. What is the best solution to verify if the verification code matchs on the server side?
Is the creation of new table that contains verification codes a good idea?
Here are a couple ways to implement user verification on Android:
Some apps build it themselves with SMS / Voice APIs
Others use a verification specific API
With SMS / Voice APIs
You'll need to generate a code (huge security threat)
Send it via the channel you use primarily
Set some kind of time delay job (queue,worker, whatever)
Send a fallback message should you get no response
from the user
Nexmo’s Verify API
Instead of paying different fees for each country, Nexmo allows you to go globally with a simple API call for a flat fee of 10 cents per verification, NOT per attempt (unsuccessful attempts will not be charged towards your account)
Verification code should arrive to your phone as an SMS. If you wait a while, you'll also get a phone call, and the code will be read to you. The timing and channels used depends on the type of number, the country, and the carrier.
You can also use Verify's Android SDK, which enables you to build Verify into your Android app by simplifying this integration. After importing this library into your app, you will only need the user's phone number, while the SDK will take care of the remaining steps required to verify your users.
Take a look at Nexmo's Verify Android SDK here
Full disclosure, I work at Nexmo.
I am posting this in order to confirm if it is possible for PHP to get a user's machine hardware information when connected to a website?
In my case I am developing an Intranet which requires one user - one machine login. Which means a user assigned to his/ her machine can only login, others cannot login from that particular machine. In this regard, my database and PHP Code is already up and running without machine dependency.
I presume it is not possible because PHP is a Server Side code which requires none of the User's system resources to get in touch with. To get system's hardware information - some application must be installed in user's machine to get it done. But is this possible in any regard for example a PHP Desktop application (though not in development) or any Java application to check machine's information and get appended it to Normal user's login.
Awaiting experts solutions...
It depends what information you need. The HTTP Headers contain the user agent (what browers/OS) of the origin, the IP address and a few other things that the server needs in order to process the request, but you can't get for instance the brand of keyboard connected to that machine.
Simple: IMPOSSIBLE! As php will output text to a browser and the browser can gather some data, but only a little (like screen resolution, colors, IP and things that are not vurnelable.). But no, PHP cannot access hardware information.
You can use the IP address to know which machine it is only if your DHCP does not change the IP at each deconnexion.
You can also use the REMOTE_USER_AGENT super global to know more informations. Apart from an ajax request that can send datas that your security policy allows the browser to get, I see no solution for your problem.