Best IT Recipes

How do popular applications authenticate user requests from their mobile application to their server?

Say I have an Android app that connects to a .Net api to receive / install data. The confusion I have is regarding how to first register / register a user and check him every time he makes an api request.

  • If I just use authentication based on username and password, won't it be safe enough?
  • And I can’t save this username / password on the device for security reasons?
  • Do I have to issue a GUID for each user during registration, save it on my device and retrieve each time during api request?

What other templates are available and which are the most efficient and secure, I just need a process flow for it. Can someone tell me what the famous applications for Android, Facebook , foursquare , twitter uses to authenticate each request coming from their mobile application to their server?

Sorry if this is not some public information.

+105
android authentication facebook foursquare
Nov 05 '13 at 21:32
source share
6 answers

I assume that they use a security system based on "tokens", so the password is actually never stored anywhere, it is simply used for authentication for the first time. Thus, the application initially sends the username / password (via ssl), and the server returns the token that the application stores. For subsequent synchronization attempts, the token is sent first, the server checks that it is valid, and then allows other data to be sent.

The token must have expired so that the server can re-request an authentication attempt.

If you connect to the synchronization adapter from the Android Framework, which will give you the opportunity to synchronize and authenticate everything under the hood.

http://developer.android.com/training/sync-adapters/creating-sync-adapter.html

If you check the accounts in the “Settings” section on your device, you will see what I mean.

+45
Nov 05 '13 at 21:44
source share

This is basically the well-known OAuth protocol using (1) / framework (2). Despite the fact that it should be a standard, each of them had different implementations of this protocol / structure. Therefore, we must be very careful when it comes to integration.

Example: Dropbox still uses OAuth 1 and has recently started supporting OAuth 2.

Back to the answer. As stated in peterpan, its token-based authentication is a one-time thing and out of the equation. These tokens have expired, or in some cases, the authority is granted to the developer.

The interesting thing is that you can determine the scope of access to resources, and not allow the client application to save user names, dangerous passwords.

This is a basic illustration of how this works.

enter image description here

I will update the answer after receiving more details about this, since I am working in this area these days :)

+18
Dec 23 '14 at 20:14
source share

I searched the exact same thing and found a Google way, something like peterpan, but through the Google API. Try this link and google through it, I'm starting too! I will send new information while I'm on it!

http://developer.android.com/google/auth/http-auth.html

+3
Jan 15 '15 at 12:40
source share

I am a beginner, but I will try to give a logical solution for this issue.

There will be two options, [1] For each URI, HTTP authentication will be checked when the user enters credentials, and the user must access the resources.

[2] Another approach may be that the user must authenticate and a unique token will be created with each authentication. Using the generated token, the user must access the resources.

Although I'm not sure which approach is best for mobile applications.

+3
Jul 31 '15 at 13:03
source share

An authentication example is a good place to start. Android saves the credentials in the Account Manager, you can view the accounts in the Android settings. This will automatically store tokens, request user credentials if they have expired or are missing, update tokens, etc. I find the http part of this example without or old. The Android extension AccountAuthenticatorActivity is a great helper for analyzing serialized data to the layout and back to the Internet.

+3
Feb 17 '16 at 2:23
source share

Username and passwords can be secure when placed in SharedPreferences. Using https when connecting to the server should be good enough.

-6
Nov 05
source share


More articles:


All Articles