I am developing an app that is similar to Tinder:
I am trying to develop an app, and I have until now a simple vertifation logic, I am pretty sure that this is not the best solution, but I would like to know what you think about it:
1) The user recieves a unique access token from Facebook SDK and sends it to the server that I created. The access token saved in the user schema and updated every time the user logged in.
2) Every time the user sends a post request, our server checks that the access token is correct, and if not it doesn't response.
3) It checks the user id, and only shown imaged can be checked.
Now what i am asking is:
Is it a good security solution?
What do you think about it?
Related
I realize that this has been an 'issue' for a while now, but I would like to know if there are any new ways secure and use stock email client with Exchange ActiveSync and not have credentials stored in clear text on the device. The same goes for IMAP and POP accounts using the app.
Yes, this is really only an issue on rooted devices, Google's official answer is to enable Device Encryption and that there are other email clients out there that handle credentials better. I personally switched to Touchdown, but would rather use the stock client.
I am trying to come up with a MDM solution for my company and really don't want to have to block devices if I don't have to. But as it stands my only options are have the user buy a 3rd party email client, force encryption and/or block rooted / jailbroken devices or use Citrix and OWA. I've spent a couple days researching this and haven't come up with anything promising that puts a smile on my face.
Any other Exchange Admins out there? How have you dealt with this?
For those who were not aware of your network username, password and domain being stored in clear text. Using Sql Lite open the Email app, Open EmailProvider.db and select HostAuth. Within you will find your connection info staring back at you, clear as day.
Android Issue Log:
https://code.google.com/p/android/issues/detail?id=10809
Google's Response:
https://code.google.com/p/android/issues/detail?id=10809#c128
Hi. I'm glad to finally be here.
Let me explain the context of my question. I'm designing an application in Android that works consuming a web service. For all inquiries carried out to that web service, you must authenticate to each perform.:silly:
I tried to use SSL certificates for greater security, but at the moment it is too advanced for me just knowing how to create a certificate, then install it on the server and on the client and the connection between them that way (If anyone has a tutorial will be welcome).
For now, I managed to connect via http without any protection. To authenticate the device that performs, IMEI shipping plus a random password (created in the registry).
Well, my question is whether this is an acceptable way or is there more optimal way that take care information that those using the app.
Thank you very much for your help, since I have no one else to turn.
Hey everyone, I wanted to get more information on how to create User Login in an app, say I wanted my users to login with there google or Facebook account and me able to upload photos, where would the accounts and photos be stored?
I know obviously on my own servers but could anyone point in the right direction more reading material would be great.
I'm just starting out in Android Dev, I'd like to get more information in creating these types of applications, thanks for your help. Appreciate it.
FNostromo said:
Hey everyone, I wanted to get more information on how to create User Login in an app, say I wanted my users to login with there google or Facebook account and me able to upload photos, where would the accounts and photos be stored?
I know obviously on my own servers but could anyone point in the right direction more reading material would be great.
I'm just starting out in Android Dev, I'd like to get more information in creating these types of applications, thanks for your help. Appreciate it.
Click to expand...
Click to collapse
Their are a few ways to look at it.
1: How is the login suppose to function?
2: Client side or Server side?
3: The main login files are normally stored sever side.
4: What programming language and or crm are you using?
5: What ever your using for the base operation login would be where you will seek the help for that enviroment.
6: If you are logging in to anything.. Then you would go through a program you made or a web page viewed.
7: Are you trying to Api through apps to jack the login information to login to multiple places? Or one place?
8: Your question is good ,but you need to specify exactly what you want to do ,and the outcome.
9: Are you programing an apk app?
10: Are you making a ROM or ?
11: If you want a user to fly across from Google or Facebook then you would basically intercept the Api of the login and act as if your the actual program. That type of thing is Api related.
12: Every program has it's own programming and api calls and functions... Also special folders Vendor specific.....
Sorta like hacking the vendors api...
That would evolve into security protocols being tampered with. That's why they don't give out that information. But you could sniff the packets via a computer and send and receive responses and also do some reverse engineering on the Api.
Deep level stuff.
Not something people will just answer.
The answer is in the question please tell us from beginning to end what it is you want to accomplish.
Greetings
This is something new that i would like to learn. What are the steps it takes to make a login page in your app. Lets assume the app is static, everything works as is and the last step that is required is just to add a login page at the start to stop users from accessing the app (might be wrong and might need to do this at the start, do say so if that is how it works).
From my understanding there are two things that needs to be done. One is server side one is client side.
Client side (aka app) there must be a page at the start that asks for login details, that then sends it somewhere, and then receives the answer: does this account exist? According to the answer the app reacts appropriately.
For the server side there must be something that checks the received login details with a data base to check if it matches anything, and it returns the appropriate result.
I assume this is easy to bypass, not sure how tbh, but i assume so. I just want to understand how things work cause learning is fun.
Are there common code that already does any of this that i can use / learn from?
Thanks a ton!
I need to run an app in Genymotion that is used for data entry and upload of the entered data into 3rd party sites. The logins to 3rd party sites are stored in this application (probably encrypted). The application will store multiple logins for my different customers of who need to have the data uploaded into the 3rd party sites. The data into the app will then be entered by other people to whom I outsource the data entry.
So I created Genymotion appliance, installed the app and in this application I entered logins for sites such as ebay. I am looking for suggestions on what can I do to secure the appliance to prevent the data being copied out from it.
I want to prevent the person to whom I outsource data entry to be able to install and load 3rd party other apps, modify system settings, install other apps, copy the system directory, copy the login and password information saved by the application.
Let's assume the worst possible case here when application is well written but the passwords mentioned above (for the ecommerce sites like ebay) is saved in plain text in this application in the internal application directory. What I know about the application is it doesn't support access to SD Card, only can read and write data to the internal memory.
What can I do in Gennymotion to improve the security of my appliance. Genymotion virtual machines are rooted. So I looked at following suggestions:
1. Setup restricted user on Android
2. Set restriction for the restricted user to only be able to use the one application. Disable anything else (including disabled browser, email, youtube etc..)
3. Try to get the restricted user loading on boot of Android. When Android restarts, however, it doesn't allow choice to login into the restricted user or the admin user, sort of like a Windows or MacOS login menu. To get the appliance to always start with restricted user by default, I need to add a script and the scripted will need to start using Tasker or MacroDroid.
However, how do I prevent the user from installing 3rd party apps? Is it good enough to disable all user apps (except that one used for data entry) from the restricted user? Is there any other way the user could abuse the access to the virtual appliance and load something there? Are there any system android apps I need to disable for the restricted user to prevent the user to be able to do anything bad with it?
The application used for data entry can not download any application or data, however, I believe it does use the webview because it loads sites like ebay and fills the forms on those sites. It only interacts with select websites only like Ebay to enter data into Ebay forms..
Is there anything I can do to secure Genymotion appliance any other than what I already mentioned. I would like to send the link to the Genymotion SaaS Android to people who will do data entry for me into Ebay and other sites. So I need to make sure the virtual appliance is secured as much as possible from tinkering with it. I need to make sure somebody doesn't get hand on the stored login details.
Just to clarify for the login credentials:
I am not sure how the user credentials are stored and I will find it out, however, for now, I go from the worst case scenario when the credentials are stored in plain text in the app settings. The user name and password is stored in the application with exception for Ebay because the many other sites do not have API key or any webservices interface, so the application would access those sites simply via a webview, and when it goes to login there it will do that by filling in the login information on the login form (simulates keystrokes). The user name and password is entered into the login form for the site. That's why the login info is stored in the application itself.
This question is not about how to secure the specific application I will be using, but how to secure the actual whole Android appliance from tinkering with.
I am aware I will the risks here, just want to do as much due diligence as I can.
Sources for Genymotion restricted user..
How to set restricted user as default user on reboot?
We would like to have an already added restricted user account be the default when we restart our Samsung SM-T580 tablets. At current we have 2 accounts installed, Admin and User The User is a use...
android.stackexchange.com
Root access - Device image User Guide
docs.genymotion.com
Done some digging so this cannot be done. Neither Genymobile or Appetize or other online Android emulators can offer fine-tuning in terms of user access. The closest is Genymobile because at least allows adding and removing access of users to individual appliances. That is however not resolving the issue with Android and in particular rooted Android, since all online emulators run rooted Android and I am not sure how that is secured against potentially malicious actors who receive access link.
The only easy way to solve it, kind of in a mickey-mousy way is to install Kiosk mode application. That kiosk app will run at every boot and it only shows the specific application. There is always risk of course the malicious user would do something to crash the application and the Kiosk app, but if the application is not a web browser or email client or similar it should be relatively safe.
There are plenty of Kiosk mode apps for Android but none of them is free (don't try to look, no chance to find one), the cheapest cost about 7 USD one-time purchase, the more expensive ones cost 20 per month per device or more and come with remote control etc... Not cheap but kiosk mode apps are almost exlusively used by businesses so that's why there is lack of free apps.
Anyhow I believe this is the closest as I could get to deal with this.