如何将敏感数据从Android应用传递到Google Cloud Endpoints？

Question

I am trying to create a simple minimal session management kind of system in Google Endpoints.

I authenticate users on my Android app. For making authenticated Endpoint API calls, I plan to verify the user only once on the Endpoint server by passing the idToken in the first call to Endpoints API from Android app.

I would, then, assign a session_id (say a number) to that user. This session_id would be communicated back to that Android app. The Cloud Endpoint server would not verify the user for the next 24 hours.

When an Android app calls an endpoints API with that session_id , I would perform the required operations assuming it to be from the authenticated user.

CONCERNS
If anyone sniffs the session_id , he would be able to perform operations of an authenticated user.

Q 1 Is it secure ( and correct way) to pass sensitive data (like session_id ) to Google Cloud Endpoints from Android app ?

Q 2 Is all communication between Android app and Cloud Endpoints done via HTTPS by default even though I do not have HTTPS enabled for my website ? Official doc says :

Important: Google Cloud Endpoints requires SSL. If you need to access your backend API in a system not supporting SSL, you'll need to either update the system to support SSL or use a proxy.

Another Official doc says:

In both method decorators, we supply the path to specify a location at which the method serves requests. The value specified is appended to the API path, for example, if the value hellogreeting is specified, the path is https://your-app-id.appspot.com/_ah/api/helloworld/v1/hellogreeting . For greetings.getGreeting, the path is hellogreeting/{id} where {id} is required or else your API method won't receive the incoming request argument.

NOTE: I do not have SSL (HTTPS) enabled for my website. I use GAE Python on web and Android/Java. I have website and an Android app which I am migrating from Google authentication to Google Identity Toolkit based multiple provider authentication (like Facebook, Google, others).

Answer 1

Q1 . It can be assumed to be secure (from sniffing) if it's passed via HTTPS only, although I am not sure if it's the correct way which depends on your implementation. You mentioned it would be a number. What kind of a number? Randomly generated? Sequential?

Also, are you using Users API / webapp2? I like the built-in create_auth_token function which can save you some time and replace the session_id in your case, and then you could use get_by_auth_token or validate_token to get corresponding user or simply validate the token and delete_auth_token to invalidate the token.

If you are not using Users API / webapp2 it's still better if you don't use random or sequential numbers for tokens, instead something like token = HMAC('A_VERY_LONG_AND_SECRET_KEY', user_id + todays_date) , which is unique, valid for 24 hours (from midnight, NOT since creation time) and is secret as long as the key is secret is a much better and safer option.

Q2 . Even if your custom domain does not have an SSL certificate, your APPID.appspot.com does (try accessing your project via httpS:// and you'll see).

Cloud Endpoints is ALWAYS serving the APIs via SSL (there's actually no way of changing it).

The warning Google gives you is about a possible situation when a CLIENT does not support SSL connections which won't be happening very often in real world.