I'm building a server to test all my in-app purchases of Android market. But I don't think that I'm sending the information from the app correctly. My server is built in PHP.
My app access the url:
...&response={...json...}&signature={...signature...}
The signature is previously encoded with URLEncoder.encode(signature,"UTF-8")
My server:
$response = $_GET["response"];
$signature = htmlspecialchars(urldecode($_GET["signature"]));
And then I execute the verification process. I think the problem comes from the way that I'm passing the arguments from the app to server, because if I copy the response and signature manually and test them, the verification function says that they are valid.
URL:
...&response={"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.aceventura3","purchaseTime":1331037005000,"purchaseState":0,"developerPayload":"Ace Ventura 3"}]}&signature=EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi%2Bd1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8%2FN7p41euzb1n1%2FgZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs%2Bl0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS%2B4LG1YxmJIsxhJnOcmNI7n2VKUdtn%2B0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg%3D%3D
Vardump
Response
string
'{"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16
Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx'...
(length=617)
Signature
string 'EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi
d1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8/N7p41euzb1n1/gZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs
l0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS
4LG1YxmJIsxhJnOcmNI7n2VKUdtn
0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg=='
(length=344)
When using URL Encode php will automatic decode data so if your re-decoding it it's going to break something, I have had this problem before
URL encoding is for the browser so stuff like & in a string sent though get does not act as new parameter in GET
so for you code htmlspecialchars(urldecode($_GET["signature"])); should be htmlspecialchars($_GET["signature"]);
I know this has been answered by comments but Added answer for Googlers
Related
As part of learning how to integrate OneLogin SSO in my ColdFusion app I pulled this git repo -
https://github.com/GiancarloGomez/ColdFusion-OneLogin and set up locally. But, while sending the auth request to OneLogin we are getting an error message saying "We're sorry, but something went wrong.
We've been notified about this issue and we'll take a look at it shortly."
I could not find the root cause of this issue. Appreciate your timely help on this.
Configuration on OneLogin looks like below. Note that consumer URL I modified to http://127.0.0.1:8500/coldfusion-onelogin/consume.cfm instead of actual format mentioned (http://127.0.0.1:8500/coldfusion-onelogin/consume/) in the YouTube video provided in the readme file of this git repo. I had tried changing the consumer URL format as this http://127.0.0.1:8500/coldfusion-onelogin/consume/ but we are still getting the error message.
Access Tab in OneLogin looks like below,
Below is the code which sends auth request to OneLogin.
<cfscript>
try{
// used to encode string - chose to use Java version just in case CF did not encode correctly
// encodeForURL appears to work but to keep the same as the samples from OneLogin I will use the Java reference
urlEncoder = createObject("java","java.net.URLEncoder");
// the appSettings object contain application specific settings used by the SAML library
appSettings = createObject("java","com.onelogin.AppSettings");
// set the URL of the consume file for this app. The SAML Response will be posted to this URL
appSettings.setAssertionConsumerServiceUrl(request.company.getConsumeUrl());
// set the issuer of the authentication request. This would usually be the URL of the issuing web application
appSettings.setIssuer(request.company.getIssuerUrl());
// the accSettings object contains settings specific to the users account.
accSettings = createObject("java","com.onelogin.AccountSettings");
// The URL at the Identity Provider where to the authentication request should be sent
accSettings.setIdpSsoTargetUrl("https://app.onelogin.com/saml/signon/" & request.company.getIssuerID());
// Generate an AuthRequest and send it to the identity provider
authReq = createObject("java","com.onelogin.saml.AuthRequest").init(appSettings, accSettings);
// now send to one login
location ( accSettings.getIdp_sso_target_url() & "?SAMLRequest=" & authReq.getRidOfCRLF(urlEncoder.encode(authReq.getRequest(authReq.base64),"UTF-8")), false);
}
catch(Any e){
writeDump(e);
}
</cfscript>
Below is the format of auth request URL ,
https://app.onelogin.com/saml/signon/[issuerId]?SAMLRequest=[SamlRequest].
I am not providing the actual URL here since I am not sure whether someone can tamper it or not. But please do let us know if it is really required to solve this issue.
Below is the screenshot of the SAML Login Page , from here I am clicking on the button and send auth request to OneLogin.
Also, In the index.cfm , form action attribute is "/post/". Since it was throwing an error I had to replace it with "/coldfusion-onelogin/post.cfm". Here coldfusion-onelogin is a folder under wwwroot. Any settings in ColdFusion to be modified so that it will not throw any error if we keep the form action attribute as "/post/" ?.
Hmmm. The consumer URL validator is supposed to be a regex expression, and I'm not sure how it's going to handle a literal HTTP value (since it'll try to evaluate it as regex)
So try changing URL validator to be something dumb like *. (match everything)
That should hopefully clear the error until you can sort out what you want the validation to be in production.
You need to first logout from the OneLogin Admin Panel
https://app.onelogin.com/logout
To successfully test the demo app.
A common SO question, but no specific solid answers.
My setup:
I have a website running on Classic ASP with backed DB. Unfortunately, no SSL Certs are available
I have an Android application that will send a Google Volley to request data from the site using a bespoke but simple API
Currently:
I am still in testing, privately, so currently I just access the site as such:
On the app, the user enters a UserId and Password once.
User navigates to a Fragment which is associated with a specific ASP Page which will return some data
A Volley is sent to /mysite.com/_api/apage.asp?m=md5hashhereabcdefghijk
The server searches user records for a matching hash (built on UserID+SALT+pass). On matching record, it uses the found userid as the User's ID
apage.asp does some sql queries and returns a JSON object
app receives this JSON response and parses.
The problem:
Anyone packet sniffing, or MITM, would be able to plainly see the URLs being accessed (and server responses) and be able to replicate the query via their browser. This is what I'm trying to stop. Any SALTs or secret keys in the app would be easily seen by decompiling the APK.
Issues:
I've read all sorts of different solutions, but none of which really fit my environment. I can't use ASP session variables (RESTful being stateless), I cant use HTTPS(SSL/TLS) as there are no Certs on the Server. I can't use an App-based password as this can be decompiled and easily seen.
I appreciate that you will never get something 100% secure, but can only make people disinterested in hacking a system, or not make it worth while.
Proposed solution:
I want some feedback/thoughts on the following proposed method:
Each request will have its own handshake to authenticate the app
This will go as such:
User opens app for the first time and enters UserID/Password. This will remain with the app until it is uninstalled (or logged out), but I intend to keep the user's app logged in
User navigates in the app to a Fragment that corresponds with a specific page on the server
Volley is sent with :
UserAgent HTTP header 'some value'
generate the same authentication hash for (userid+salt+pass)
encrypt this hash with a public key
one query string /apage.asp?q=abcdefghijk.... sent to server
server decrypts using its private key
server checks this hash as I do currently.
page returns plaintext JSON values (not encrypted)
The same problem happens here whereby a MITM or sniffer could replicate the URL and get the same information back
A Second Proposed Solution:
Would it be better with every request actually starting with a whole handshake?
App sends volley to server requesting a handshake (HELO)
Server gross error check with UserAgent HTTP Header
Server logs the timestamp and IP of the request and generates a unique random code
App receives this code and builds a new hash using that unique code as a Salt
App sends second volley to /apage.asp?m=MD5(UserID+UniqueCode+Password)
Server Gross error check with originating IP, timestamp+-tolerance (30 seconds between the two requests?), UserAgent Request Header.
APage.asp uses this hash to authenticate the request, providing previous steps have successfully passed.
APage.asp returns a JSON object, as requested.
Server flags the log of originating IP/timestamp as EXPIRED, or, just remove the record.
This initial step would make it a lot harder for a sniffer or MITM to replicate the URL calls, as A) Each request would have a randomly returned code B) each code/hash combo can only be used once.
The only thing I can think of is someone decompiles the App, and sees the method of handshake, so could try to replicate this. However, the username/password hash would never match as that is the only thing they cannot get from the hash (as it is salted with the random code)
Thoughts? Could it be improved with some RSA public/private key cryptography? Could I generate my querystring apage.asp?m=abcdeghi..., Generate an MD5 Hash of that, append onto the end, then encrypt before sending?
Many thanks in advance
I Am serving an authenticated image using django. The image is behind a view which require login, and in the end I have to check more things than just the authentication.
Because of a reason to complicated to explain here, I cannot use the real url to the image, but I Am serving it with a custom url leading to the authenticated view.
From java the image must be reachable, to save or display. For this part I use Apache httpclient.
In Apacahe I tried a lot of things (every example and combination of examples...) but can't seem to get it working.
For other parts of the webapp I use django-rest-framwork, which I succesfully connected to from java (and c and curl).
I use the login_reuired decorator in django, which makes the attempt to get to the url redirect to a login page first.
Trying the link and the login in a webviewer, I see the 200 code (OK) in the server console.
Trying the link with the httpclient, I get a 302 Found in the console.... (looking up 302, it means a redirect..)
this is what I do in django:
in urls.py:
url(r'^photolink/(?P<filename>.*)$', 'myapp.views.photolink',name='photolink'),
in views.py:
import mimetypes
import os
#login_required
def photolink(request, filename):
# from the filename I get the image object, for this question not interesting
# there is a good reason for this complicated way to reach a photo, but not the point here
filename_photo = some_image_object.url
base_filename=os.path.basename(filename_photo)
# than this is the real path and filename to the photo:
path_filename=os.path.join(settings.MEDIA_ROOT,'photos',mac,base_filename)
mime = mimetypes.guess_type(filename_photot)[0]
logger.debug("mimetype response = %s" % mime)
image_data = open(path_filename, 'rb').read()
return HttpResponse(image_data, mimetype=mime)
by the way, if i get this working i need another decorator to pass some other tests....
but i first need to get this thing working....
for now it's not a secured url.... plain http.
in java i tried a lot of things... using apache's httpclient 4.2.1
proxy, cookies, authentication negociation, with follow redirects... and so on...
Am I overlooking some basic thing here?...
it seems the login of the website client is not suitable for automated login...
so the problem can be in my code in django....or in the java code....
In the end the problem was, using HTTP authorization.
Which is not by default used in the login_required decorator.
adding a custom decorator that checks for HTTP authorization did the trick:
see this example: http://djangosnippets.org/snippets/243/
My Android App has an App Widget associated with it which is updated every 10 minutes on an Android Device. These updates send HTTP requests for data to the servers and parse the server response and updates the App as required.
As of now if you ping that URL from the browsers on your laptop or PC the server will respond and update whatever is required in the database on the server.
What I want to do is when the HTTP requests are received at the server, I want to identify if the request came from my Android App from an Android device and then respond with the data. I would like to change the code in the PHPs on the server in a way that they would display or redirect to some page if the HTTP request came from a browser or anything else except for my Android App.
Typical HTTP requests from the Apps are like http://example.com/abc.php?usera=abc&datab=xyz
I don't want to respond to this URL in the same way if it is coming from anywhere else except from the Android App. Is this possible? What would be a good way to achieve this..
Thanks for your help.
You can add a signature to the request and then check it on server-side.
Just take the query and add one secret word at the end, then make a MD5 of it that you can send as an header (or use as a user-agent). And on the server you do the same and check if the checksum is the same.
To make it a bit safer you can make a timestamp so the request only will be valid for a short time.
Make your query look like http://example.com/abc.php?usera=abc&datab=xyz×tamp=123456789 where timestamp is the current time (in unix time stamp) and add this in your app:
public static String makeCheck(String url)
{
URL u=new URL(url);
MessageDigest md = MessageDigest.getInstance("MD5");
u.getQuery();
md.update(u.getQuery().getBytes());
BigInteger bn = new BigInteger(1,md.digest("A_SECRET_WORD".getBytes()));
return bn.toString(16);
}
And when you need to add the header use something like:
request.addHeader("X-CHECKSUM", makeCheck(url) );
Then on your server you can use:
if (md5($_SERVER['QUERY_STRING']."A_SECRET_WORD")!=$_SERVER['X-CHECKSUM']) {
// Wrong checksum
}
$timediff=60;
if ( $_GET['timestamp']>(time()+$timediff) || $_GET['timestamp']<(time()-$timediff) ) {
// Bad timestamp
}
Remember to be a bit slack on the timestamp since your servers clock and the phones clock can be off sync a bit.
The typical way of doing this is using the User-Agent header in the HTTP request. if the request comes from the standard browser, it will uniquely identify both the hardware and software. For example a Nexus One running Froyo will have the following User-Agent:
Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
However, if you're using HttpClient to make requests from your app, you can customise the User-Agent header that HttpClient uses as demonstrated in this answer: Android HTTP User Agent.
On the server-side you can use a regex match on the user-Agent header to determine whether a request has originated from your Android app, and send the appropriate response.
If the actual request is the same (for instance, you are not able to add a POST or GET variable to actively identify your request), you'd have to rely on other things, like user-agent.
While you can set them according to your wishes in your app (also see #mark_bakker nd #mark_allison 's answers), you should be aware that there are ways to mess with this, so don't use it for stuff you really don't want other users to see.
An android user could in theory change the user_agent string between the request leaving your app and the request leaving his/her network. So don't use it for "Android users didn't pay, so should not see this/that info" applications
The other way around, non-android users can change their user-agent too obviously, so if you have content only your paying android-users should see, they might fake the string.
In the end it might be better to just change your request if you can: you want a different reply, you should do a different request is my opinion.
When you create the HttpClient in android you can set the following
client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "MY Android device identifier");
This set the USER_AGENT for each http request send to your server. On your server you can retrieve the USER_AGENT to determine that the request came from your android device
We have web server which only accepts decoded value from android phone
As example
"http://www.url.com/data/?name=hello World"
returns expected rssult
but when we are trying to use
"http://www.url.com/data/?name=URLEncoder.encode("hello World")"
gives nothing.
We can not change the web service.
But as we all know java only accept encoded url
How can we achieve the goal so that we can send the decoded url as it is to the server
Could you please restructure the question, to make it more clear? also the below statement appear to be incorrect (Assuming you are using Java)
http://www.url.com/data/?name=URLEncoder.encode("hello World")