stackoom
  简体   繁体   中英

Authenticate Android application requests

 原文  2017-07-11 08:17:01       android/ http/ authentication

Question

I want to develop an Android application in which anonymous users can send requests to my server through HTTPS. I need to make sure that the requests are coming from my app since anyone can craft an HTPP request and send it. This is very critical in my app.

I read about GCM tokens, but I don't know if they can help me in my issue.

Is there a way to authenticate the requests (coming from the app) without hiding secret keys in code (because I read that hiding secrets is a bad practice as de-compilation is very trivial in Android).

Thanks

3 answers

solution1
 0  2017-07-11 08:19:30

You can always generate a unique token for your user. And add that token in the header of your request and verify it on your backend.

solution2
 0  2017-07-12 01:56:21

  1. Your server could generate unique PIN for each user of your app and it is then sent to your app and displayed over the app.

  2. Users, even though anonymous, are supposed to enter the same PIN before sending the response. In turn request could carry this PIN that server can verify that indeed it has come from the same app.

  3. Further you can set timeout for validity of each PIN is valid so that it is not mis-used and always latest PIN generated are used at the end of any session.

One question further to be answered related to point 1: Is how to ensure that this PIN is sent to your app and not to any fake app.

Answer to that will be : For this every app will get unique applicationid when installed on android device. While installation, this applicationid could register with your server in a discreet manner. So this way you ensure that all your API calls are coming from registered app.

solution3
 0 ACCPTED  2017-07-12 12:28:43

I figured out how to solve this issue after following this guide: https://android-developers.googleblog.com/2013/01/verifying-back-end-calls-from-android.html

Basically, You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an “ID Token”. You send the token to your back end and your back end can use it to quickly and cheaply verify which app sent it and who was using the app.

When your server receives the token from your Android app, it's really important that you verify it. This requires two steps:

  1. Verify that it's really signed by Google.
  2. Verify that it's really meant for you.

Thanks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to authenticate requests for an android app Allow my android application authenticate with google account Authenticate the SharePoint 2013 Foundation site into the android application Authenticate a user using Laravel functions for an Android application How to authenticate and authorize an Android application with Apache Shiro Different ways to authenticate smartphone application like Android android - build application to authenticate with web server How to authenticate android app and web application with single firebase application Facebook + Android: Failed to authenticate the application because of app name mismatch What is the best method to authenticate users for my Android application?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM