I want to understand from security perspective, if it is possible to prevent an end user from finding out HTTP request parameters that are exchanged with the server ? I understand that SSL would prevent someone from sniffing the HTTP POST request parameters, but I believe the browser after decoding ssl will have access to the parameters. I presume it is possible to hack onto an APK and find out the actual http request and spoof it ? So Trying to work a way around it.
Thanks for all the suggestions you could provide!
Related
I am working on an app for android with requires a authentication via SSL to protect client-server api.
I know how to do following thins:
1. Force apache http client to accept certificates issued by specified certification authority.
2. Set glassfish certificates and how to force specified web project (java EE) to require https.
What I do not know:
1. How to force glassfish to grant access only to clients using certificates issued by my certification authority.
2. How to force apache http client to send certificate of client nor how to make it choose correct client certificate.
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Moving to Q&A
I have managed to do it quite some time age - sorry that I did not notice community.
Basically you need to setup GlassFish3 https connections to require client certificate upon initialization. Than you need to modify GlassFish trust store and key store so that it would possess only ca/keys we want. Last step is to configure Apache http client to use trust and key store we want (those key store and trust store are a bit different for android device and glassfish server).
Anyways, if any of you would like the help on the topic, then post request here - I will post a full guide how to do it then.
Hi Everyone,
I have a question regarding these Ad Blocking programs. I see that they primarily work by adding entries in the Hosts file for IP resolution (usually the loopback address 127.0.0.1) for known Ad addresses. So my question is this... Is it possible for hackers to produce a fake (or partially legit) product that could be used for Phishing? They could inject IP addresses for banking, ecommerce, etc., websites to be directed to their fake sites.
Any thoughts?
Thanks!
Dagoof
You mean do something like redirect Wells Fargo to a copycat site to phish usernames, passwords, CC#'s etc? It's certainly possible. It'd be a pretty limited audience hack though. You'd still probably do better just sending a mass email.
I spoke with the author of Adfree and his program implements checks on the downloaded host files to ensure they only point to 127.0.0.1 unless specified in the options.
esheesle said:
I spoke with the author of Adfree and his program implements checks on the downloaded host files to ensure they only point to 127.0.0.1 unless specified in the options.
Click to expand...
Click to collapse
Yeah... I thought that the easy way to rest assured was to go through the hosts files to be sure all the entries point to the loopback address...
Thanks!!
Hi. I'm glad to finally be here.
Let me explain the context of my question. I'm designing an application in Android that works consuming a web service. For all inquiries carried out to that web service, you must authenticate to each perform.:silly:
I tried to use SSL certificates for greater security, but at the moment it is too advanced for me just knowing how to create a certificate, then install it on the server and on the client and the connection between them that way (If anyone has a tutorial will be welcome).
For now, I managed to connect via http without any protection. To authenticate the device that performs, IMEI shipping plus a random password (created in the registry).
Well, my question is whether this is an acceptable way or is there more optimal way that take care information that those using the app.
Thank you very much for your help, since I have no one else to turn.
I am developing an app that is similar to Tinder:
I am trying to develop an app, and I have until now a simple vertifation logic, I am pretty sure that this is not the best solution, but I would like to know what you think about it:
1) The user recieves a unique access token from Facebook SDK and sends it to the server that I created. The access token saved in the user schema and updated every time the user logged in.
2) Every time the user sends a post request, our server checks that the access token is correct, and if not it doesn't response.
3) It checks the user id, and only shown imaged can be checked.
Now what i am asking is:
Is it a good security solution?
What do you think about it?
Hello
I have been searching for an app, which allows me to send HTTP requests automatically at a specified time once a day. The android device is always on and used to communicate with a robot through REST API. The operator presses HTTP requests shortcuts on the tablet.
Does anybody know of a way to achieve this simply?
Thanks in advance.