I want to send emails from my app engine application using one of my Google Apps accounts. According to the GAE python docs:
The From: address can be the email address of a registered administrator (developer) of the application, the current user if signed in with Google Accounts, or any valid email receiving address for the app (that is, an address of the form string#appid.appspotmail.com).
So I created a user account on my Google Apps domain, no-reply#mydomain.com, to use for outbound email notifications. However, when I try to add the user as an administrator of the app, it fails with this error:
Unauthorized
You are not authorized to access this application
Is it possible to configure app engine to send emails using a Google Accounts email address?
You must restrict your App Engine app to a Google Apps domain upon initial registration of your App Engine application ID. Unfortunately, this setting can only be set during the initial registration of your app ID.
What you'll need to do is register another application ID, set your authentication option for Google Apps domain, and upload your existing app to the newly registered ID.
Simply going through the "Domain Setup" process in your Dashboard is not enough; you'll only be able to add the app as a service and "host" it using your domain name. To restrict the authorization to your domain only, you'll need to do the first step in the initial registration.
I had also problems adding administrators. In the end, I used a regular gmail account as the sender. Which only works if sending as *#googlemail.com. *.gmail.com fails.
Related
I'm developing an Android app.
In this app the user can easily log-in via his or her Google email account without any password or anything to my webservice: the user just needs to select the Google email address from a Spinner and - if the email corresponds to an email in the database in the web service, the web service answers 'OK' and sends back the information related to that email address.
Now, I'm aware this is not a safe system because I could retrieve the same information just asking via POST the server with the email address I want to hack but to develop the app faster I didn't pay much attention to that.
Now, I'm going to release it and I would like to improve the android login system being sure that the user is really authenticated with that email in the android phone but I'd like avoiding all the OAuth system if it is possible.
The user is asked to select the email address from a Spinner and that's all.
Is there a way to do so in a safe way and easy?.
I learned Google App Engine by creating some simple application using Java.
I came to know that Google App Engine use google account like gmail, to deploy those application. I had deployed those application with my account(a gmail account). In some place Google account are blocked in Colleges, Schools, Companies, but they will allow some other mailing website like Outlook. I am also having email account like Outlook, Is it possible to deploy application with other email id like Outlook account?, if yes, how to deploy it.
Thanks!
Yes it's mandatory to sign for Google cloud like you have to sign up on aws to deploy an app on aws
I'm not sure to fully understand your use case but note that you can add a new user to the project you want to deploy to by going to the IAM & Admin page in your Developer Console and add a new user with your Outlook email address and give him the owner role (or more fine-grained permissions if you prefer).
Then, to deploy your app, from your local machine for example, you can authenticate your gcloud (gcloud init or gcloud auth login) with this new account and run gcloud app deploy as usual.
I have a web app.
In this web app there are user accounts stored in db. Passwords are not stored, users authenticate to Windows AD via LDAP.
I need to develop Windows tray notification app displaying some events that are happening in the web app. This tray app run from the client windows machine is supposed to send a request to the web app identifying itself as the web app user and display notification if web app response would provide some data.
I know how to write this tray app
I know how to handle and display the response from the web app
My concern is how to do the authentication in secure manner.
What I am thinking of is to verify on workstation level if user is logged in / authenticated into Active Directory. If it is true I would like to get the username and somehow securely inform my web that current user successfully logged in into AD and provide its username. Having that web app could send back response, if any is available for that particular user.
I am trying to avoid:
1. Requesting user for a password on app start if he has successfully logged into the AD.
2. Storing the password in any version (encrypted / hashed, etc) on the local machine, because it could be insecure and the password can change in the meantime.
Do you have any idea how to achieve the above or have other suggestion?
I will appreciate any feedback, thanks.
Scenario: Suppose by reverse engineering a .apk file, an attacker obtains the SENDER ID for Push Registration Service used in an App. The attacker develops a similar fake application which has same/different package name and has been uploaded on a different app store than Google Play.
My question: Can he/she use the same SENDER ID with the app? What are the implications of that for the user who installs that fake application?
Related Questions: google cloud messaging security question seems to be a bit similar. Also answer of Android GCM: same sender id for more application question provides valuable information. Reading both the accepted answers the conclusion seems to be that it is absolutely possible and that's why it is recommended not to have sensitive data in Push Messages.
But that doesn't seem to be the solution to the problem. I am unable to understand the effect of the above security lapse.
A sender ID (aka Google API project ID) is not tied to a unique application package name. In fact, multiple apps can register to GCM using the same sender ID, which will allow the same API key to be used for sending GCM messages to all of these apps. Of course each app will have a different registration ID (even when on the same device).
If someone knows your sender ID, they can register to GCM with that sender ID, but without knowing the API key they won't be able to send GCM messages to either the fake app or the real app. When they register to GCM, GCM receives the package ID of their fake app. Therefore if you send a message to a registration ID of your real app, it won't reach the fake app. In order for the fake app to get messages from your server, it will need to send its own registration ID to your server and fool your server into believing it's the real app. In our server application you have to mention our API key. If you want to send any notifications its needed.
They will not be able to use your GCM Sender ID to publish notifications.
Remember that when you obtained the Sender ID, you have to also submit your application's package name and your release signing key's SHA-1 signature. That signature is bound to the GCM Sender ID so that only applications signed by your release key are able to register and receive GCM notifications.
Google Play will also not allow apps with duplicate package name to be published, so nobody can create a fake app with your package name that is already in the Play store.
However, nothing is 100% secured. I presume a hacker could also figure out your SHA-1 signing key and hack the APK in such a way to fool the system to think the app is signed by your release key. I have seen apps are 'cracked' this way to circumvent Android licensing library. This could potentially fool GCM server to think the fake app is authorized to receive GCM messages. However, the 'cracked' apps are still not allowed to be published to Google Play, so the risk of legitimate users getting it is quite small.
I am trying to save some reports (in csv) on google drive from google app engine. It works fine if I hit the URL directly (after it bounced to google for authorization and click thru the screen to allow the app to access google drive)
But what if I initialize the request from cronjob in google app engine. Is there a way to let the app by passes the click thru? (or have a forever valid token?)
Note: same google account for the app and drive
For your app to access a user's data using a cron job, you will first need to get a set of OAuth 2.0 access and refresh token from the user: this should have been already implemented by you through the "click thru".
Once you get those credentials, you just have to store them in the datastore and retrieve them in the cron job in order to perform your tasks.
Retrieve and Use OAuth 2.0 Credentials shows an example of how to build an authorization flow and how to store/retrieve OAuth 2.0 credentials. Your cron job will simply need to retrieve those stored credentials and use them as usual.