I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
Using OpenID is a great idea in fact. You can use the OpenID4Java library. As you can read here, someone has modified that project in order to make it Android compatible.
I know this is an old question but i found this while asking a newer question.
Just an idea but have you looked at the account manager? What version of android are you targeting?
The sample sync adapter example (http://developer.android.com/resources/samples/SampleSyncAdapter/index.html) uses the account manager (http://developer.android.com/reference/android/accounts/AccountManager.html)
It looks like a more secure way of using credentials on a native android client because you don't have to store the password at all locally in your app.
Related
I've just had an Android Firebase app penetration tested, and the tester found a file com.google.Firebase.auth.api.xml within Shared Preferences. It contained the access_token + refresh_token (which could be used to access the Firebase API).
Has anyone else experienced this vulnerability and know the best way to fix it?
(I can't work out or understand why this information is being stored locally, I've taken a look through the Firebase documentation and through my app and as far as I can tell everything is integrated properly. The app itself uses Firebase as the backend server which handles logins, authentication, Firestore and Storage)
Any help would be massively appreciated.
Got in touch with Firebase and this is the response for anyone interested:
"I understand your concern, as you have said the file is used to re-authenticate the user, however, those values are set after a successful login and the SDK updates that file each hour. The vulnerabilities that you may have noticed should be related to modifying information related to that specific user and the features or data the user has access to. Please remember that the Firebase security is not only on the Authentication product, they are more tools that enforce the security in a Firebase application, that is the reason why your Security Rules should avoid insecure rules and match with your business model."
I have developed an android app that directly interacts with the MongoDB for insertion and fetching the data.
I have credentials stored inside a config file of android app that I read inside the app.
mongoDBConnection:
credentials:
username: "test"
password: "test"
database: "admin"
connectionString: "mongodb://localhost:27017"
The app works as expected when installed on a phone, the worry that I have is if I ship the app can anyone decompile the app and retrieve the credentials back?
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
I wanted to get inputs on before implementing the backend on whether a backend is required or is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
if I ship the app can anyone decompile the app and retrieve the credentials back?
Yes.
is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
No, this isn't possible. You can obfuscate them to make it harder, but it's impossible to prevent a sufficiently skilled/determined attacker from retrieving them if the app has them.
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
This is the only way to do this, and the correct solution.
if I ship the app can anyone decompile the app and retrieve the
credentials back?
Technically yes. But if you use proguard it will be really hard for someone to figure out your DB credentials. This can be your first line of defense
is there any way in android app itself to store the credentials such
that it does not get exposed when decompiled?
Yes. Use Keystore.
Follow this article
So I'll start from the beginning. I want to create an Android application and a server (written in java). The server will be written in Java. What I want to do is to be able to log in to my server from the Android application, using the Google account. After the device is logged in, there will be some information sharing with HTTP Requests. I want to use REST.
How should I proceed for achieving my goal? I guess I should use the Google API and Google App Engine. What should I do to implement the log in and the part in the server. It's first time for me writing a server and an application with log in, so any advises will be appreciated. The application is for educational purposes. Thanks in advance!
I would really suggest you give Google App Engine a try, specially combining it with Cloud endpoints which are designed to connect your server to clients like an Android App. Using endpoints you'll get cloud infrastructure + REST services + native libraries ( for Android, JS and iOS) and everything related to authentication is already sorted out (via OAuth).
App Engine can also be developed using Java and it's already integrated with popular IDEs like Eclipse (through the Google Plugin) and Android Studio (as backend modules) so you prbably have everything you need to star working on your App Engine server.
Use Google Play services (you don't need App Engine).
Here is the complete process with code samples: Authorizing with Google for REST APIs
Another option you can look at: Google+ Sign-in for Android
On the server side, once you have the auth token, you access the Google REST API with the username and token, and Google will tell you if the access is authorized.
I understand what you're trying to do. Your user already has a username and credentials on Google, why not just get the username and let Google do all the authentication?
However, you might want to re-think this approach.
The problem is that you will ask your user to sign in to Google and Google will ask the user (through logic in the Android API code) if your application can have access to their information in Google. Your users may balk at granting that kind of access to your application, and that will hamper your efforts to get people to use your app.
Now, if your app actually uses the Google REST APIs, then this would make more sense, because the auth token your app requests will provide access to a Google API.
But if all you're doing is authenticating, your users might be hesitant to authorize your app for some Google operation they don't think you need.
To get a feel for the OAuth 2.0 message flow, you can use this: OAuth 2.0 Playground
Hereis my problem,
I make an Android application and i use Windows Azure.
I use Azure to make login activity with Facebook. It works well i can log in.
However i want to get the Name and last name of the guy who log in using Facebook.
I have no idea how to do it using windows azure, i check this web site http://blogs.msdn.com/b/carlosfigueira/archive/2012/10/25/getting-user-information-on-azure-mobile-services.aspx
But i don't understand it. Anyone got an idea on how to get the name and last name of the person who log in using windows azure on android ?
To get user's information from facebook, first User must authorize it. Second, you need to query this information using graphs api from facebook.
Here some tutorials that could help you:
http://blogs.msdn.com/b/carlosfigueira/archive/2012/10/25/getting-user-information-on-azure-mobile-services.aspx
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
https://developers.facebook.com/docs/android/getting-started/
Hi i've integrated Facebook application with my application.
This is only working for the user-account who is registered with the application.
I am not able to find the authorizing screen just after login for users other then the registered user.
How can i achieve this ?
I am using following permission array:-
FACEBOOK_PERMISSION = {"offline_access", "publish_stream",
"user_photos", "publish_checkins", "photo_upload" };
Am i missing something please help me.
The problem you are facing is directly related to the fact that your application is in the sandbox mode. In this mode only the developers, testers and other people registered in the app settings are able to access the application. To allow the general public to use your application, you will have to disable the sandbox mode and then everyone can use it.