I want to understand from security perspective, if it is possible to prevent an end user from finding out HTTP request parameters that are exchanged with the server ? I understand that SSL would prevent someone from sniffing the HTTP POST request parameters, but I believe the browser after decoding ssl will have access to the parameters. I presume it is possible to hack onto an APK and find out the actual http request and spoof it ? So Trying to work a way around it.
Thanks for all the suggestions you could provide!
Hi. I'm glad to finally be here.
Let me explain the context of my question. I'm designing an application in Android that works consuming a web service. For all inquiries carried out to that web service, you must authenticate to each perform.:silly:
I tried to use SSL certificates for greater security, but at the moment it is too advanced for me just knowing how to create a certificate, then install it on the server and on the client and the connection between them that way (If anyone has a tutorial will be welcome).
For now, I managed to connect via http without any protection. To authenticate the device that performs, IMEI shipping plus a random password (created in the registry).
Well, my question is whether this is an acceptable way or is there more optimal way that take care information that those using the app.
Thank you very much for your help, since I have no one else to turn.
I am developing an app that is similar to Tinder:
I am trying to develop an app, and I have until now a simple vertifation logic, I am pretty sure that this is not the best solution, but I would like to know what you think about it:
1) The user recieves a unique access token from Facebook SDK and sends it to the server that I created. The access token saved in the user schema and updated every time the user logged in.
2) Every time the user sends a post request, our server checks that the access token is correct, and if not it doesn't response.
3) It checks the user id, and only shown imaged can be checked.
Now what i am asking is:
Is it a good security solution?
What do you think about it?
Not sure if I’m on-topic here or not, but here goes... I am responsible for the setup/configuration of WiFi routers in various restaurants and venues. We are simply using the built-in splash page functionality of the router to, upon connection, present a simple marketing message and daily special offer via an extremely simple, static external HTML page, rather than the login page that many venues present (airports, coffee shops, McDonalds, etc.).
After connecting to our SSID with a PC or mobile device, users are presented with a customized splash page where our venue’s latest “offer of the day” banner ad is presented, which links via a standard hyperlink out to a PDF coupon for them to redeem said offer. There are also a couple of other simple items on the page, such as a menu with links to other offers, and an embedded Google Map to the venue in question.
All seems to be OK on PCs and iPad/iPhone devices. However, we are running into a problem on Android devices – specifically, Android devices using newer/more recent versions of the Android OS.
The problem is that Google has made a change to newer versions of Android so that WiFi connection login/splash/confirmation pages no longer come up in the default Web browser of the phone/tablet in question. Instead, they seem to come up in some kind of built-in notification window simply titled “Sign-in to network” – it does not seem to be a full-blown, feature-compliant browser, but rather a panel of sorts built into Android. And when our basic, mainly static HTML page loads within this alert window, none of the standard HTML features (such as hyperlinks) seem to work. A window appears with the title “Sign-in to network”, and our splash page appears on within it, but the standard HTML hyperlink from our special offer graphic (to a PDF file) does not work. Clicking it has no effect. Our menu underneath that does not seem to open (it’s automatically collapsed on mobile devices), and none of the links within it work properly, and our embedded Google Map does not appear at all. It’s as if this alert window or whatever we call it does not support the basic features of HTML pages in any way.
There appears to be no way for me to programmatically force the Android client to “escape” from this proprietary panel and open up a page in their default browser. I’ve tried placing various forms of client and server side “push/redirect” code on the page in an effort to escape from this alert window and cue the default browser to open, with no luck. No matter what I do, it seems that they Android phones always load the splash page within a “sign-in to network” notification page rather than a browser, and that this notification panel is not fully functional for even basic HTML features such as <a> hyperlinks, javascript, or embedded items.
It’s possible that Android’s proprietary “sign-in to network” panel is apparently seeking some sort of acknowledgement of a successful "login" in order to proceed with any subsequent browsing. But if so, I don’t know what constitutes “acknowledgement”. Perhaps there some way to force a hidden form submission or link click programmatically to force the Android device to accept/acknowledge the connection just as if the user had logged in normally, so that we can then proceed to subsequent Web browsing?
Has anyone experienced this problem, or have any ideas as to whether there’s a work-around or coding-based solution to this difficulty?
Thanks very much for your help in advance.
UPDATE: I've been in touch with the Google developers of the sign-in panel... they indicated that "captive portal sign-in pages are displayed in an Android WebView, which uses much of the same code as the Chrome browser. The sign-in app is very simple, you can see all of its source code here.
One second after each navigation (including the initial page load), the app probes to see if the user has successfully signed into the network. This probe is done by fetching a URL that should give back a 204 response."
Based on this, I am making the assumption that until captive portal sign-in app probes to see if the user is successfully signed in, all other navigation and many other features on the page are disabled, and that the full functionality of the WebView panel is restored after a successful sign-in to the network. But if so how can I successfully "signal" to the sign-in app that the user is, in fact, signed in (or rather, that no sign is in necessary or desired)? Is there something programmatically that I can do in the page code to ensure this, so that the viewer can then proceed to normal Web navigation within the panel, and so forth?
Any insight into how this works from anyone here would be greatly appreciated!
Thanks!
Hello everyone! This is first post.
My question is: I have to add an android activity that accepts input as large as 200 words or more. After the data is input I need to direct that input to a server. (There is an app called Personality Insights which accepts input and displays personality traits as results.)
After analysing the input, the server has to output some result as personality traits which further I have to show to the user.
The issue is I only want user to input but I don't want user to see the processing. How should I go about it? Also how should I retrieve the results?