Android 消费webservice的APP如何认证用户

Question

I'm developing an android app that consumes a webservice that I will develop too (I'm thinking in using a RESTFul webservice).. and I want to secure the connection between the app and the server but I need to authenticate users too..

My problem is in the last part, to secure the connection I think the best way to do it is to use SSL (https), am I wrong?

I don't know what's "the best way" to authenticate users, to make sure that a user cannot consume the webservice as another user.. I have some ideas, like using a authenticate(login,pass) method on the webservice that returns a token.. And for any operation that requires authentication the user would need to pass that token as a parameter.. The thing is, is this a good way to do this? whats the most common technique used to auth users in a situation like this?

If a token based auth is a good idea how should I generate the token?

Sorry for this long text..

Any help will be usefull

Thanks

Answer 1

Make sure you understand a trendy standard like OAuth before you go down that path. Most OAuth flows are centered around a user logging in to your server through a web browser. This can lead to pretty bad user experience for a mobile app. The standard does allow for alternatives. Here's a decent introduction .

You could also use an existing identity provider like Google, Facebook, Twitter, etc. instead of implementing your own authN/authZ. On Android, you can ask for a Google auth token using the AccountManager . This usually works because the user needs to be logged in to their Google account to access the Android Market. Anyway, this will prompt the user to grant authorization to your app. You could then use the Google auth token to login your user to your service with your own token. The login would essentially be your server verifying the Google token is valid (by contacting Google's servers) and then issuing its own token to be used for calls to your web services. If you don't like Google, you could use the Facebook SDK , etc.

As for what to use for tokens... The OAuth spec has stuff on that as well. You could do something as simple as a random string or something as complex as encrypted SAML assertions .

Answer 2

You should implement a token based OAuth, which will require the users to log in once, and then permanently have access.

You can use Google App Engine which already provides user authentication services for you (your Android users most likely already have google accounts) But this is only one of many options.

You can also look into Amazon's Identity Access Management (IAM) which will allow you to manage the users who have access to your web service, and authorize them accordingly.

I think the best way to do it is to use SSL (https), am I wrong?

This only prevents certain types of malicious use, but not everything. There is still nothing to prevent people from accessing your database on the phone, and retrieving credentials that way.