I have recently started to learn about google app engine. I have encountered a problem. How do hash a password on google app engine? Im planning to pass password to the datastore. There I will hash the password and store the hash? Any tips or thoughts?
thx all!
Since you are looking at implementing your own custom login, you can definitely use popular hashing algorithms for the same. You can use the MessageDigest classes for teh same. Alternately, 3rd party libraries also exist, which you could use. E.g. Jasypt library
If you're not sure what you're doing, you're best of relying on a library. Having said that, there are great code samples for password management on the owasp site.
For example, here is a page with code samples on how to manage this correctly and a good explanation of all the element requires. You'll need to adapt the code for storage on appengine, or just use CloudSQL
Related
My question is that there is a section in the gradle file called signingConfigs.
Is it a problem if the password is entered here?
Should I be worried about this?
Thanks.
We should NOT do this. These params are there for testing convenience.
We should NEVER store ANY crucial, personal, sensitive information as plaintext.
The testing key passwords and stuff just use dummy values. The actual release key we generate via AndroidStudio or Java keystore directly.
For PlayStore app releases, key files I usually let Google assign, manage and maintain via Developer Dashboard.
I use yandex and google translate in my application and of course have unique API key, but everyone can steal it by decompiling my application. How can I hide it?
If i were you i will rent a server (maybe amazon) and create a database and insert our api key with simple encrypted string (hash etc.).
ID - Name - androidKey - key
1 - GoogleAPI - AJKBSASHUA9 - yourAPIKey
2 - YandexAPI - 5A6S5D6A53C - yourAPIKey
.
.
.
Then you can create a service which is run by your android packageName;
http://example.com/API/getAPIKey/
?packageName="yourPackageName"
&androidKey="AJKBSASHUA9"
And if you use POST method it is safe for you.
Simply, you can't do that inside your APK at all or inside the application. If someone want to get it, they will get it.
You are going to decipher them, I'll find the key inside the app.
You are going to put them in the web and fetch them after installation, I'll root my phone and get them.
And why would you hide them on the first place, they are assigned with the SHA1 fingerprint of your [Release|Debug] keystore and your package name and no one can have your release keystore and its password.
While you may not be able to achieve 150% security, you may want to take steps in your app to slow possible attackers down. This will result in some of them turning away from exploiting your application, simply because it is not worth the effort.
The OWASP Mobile Security Project has published their collection of "Top Ten Mobile Risks", of which especially the topics "Broken Cryptography" and "Lack Of Binary Protections" are interesting in your case. While even this link does not provide you with a simple "how to", I think it can help you to assess your situation.
I need to develop following functionality for my JSF web application:
Authenticating users through external providers like Gmail, Hotmail, Yahoo, Twitter, Facebook, LinkedIn, Foursquare, MySpace
Importing their contacts from them (Gmail, Yahoo)
I am planning to use SocialAuth Java library for the same, can some one how has used them tell me about your experience with it?
If someone know some better approach for the same, please let me know!
socialauth is your best bet! it supports almost all providers and supports a large variety of java frameworks. Even if you are not using Struts or Spring, you can use the libraries and integrate it with any framework you want.
They also have a very good documentation and examples online:
http://code.google.com/p/socialauth/
Also Check this previous Question :
Taking contact list from hotmail gmail yahoo in java?
I am trying to make a multi user login system for my java program, at the moment i am compairing the username and password to md5 hashes stored in a text file. I would like to be able to geive different users different access wrights to the program, using the system i am using at the moment the accesablility would be easy to change if the text file was opend. Is there a way I could encrypt the text in the file and then unencrypt it when the user loggs in??? Thanks
You can take a look at this comprehensive Java Cryptography guide. However, I think that you would be better off with a database to store the username and password since a text file could be easily deleted or modified. Encrypting it only makes it tougher to read.
Please take a look here and here to learn about JDBC. If you want a more robust framework, you can use and ORM like hibernate. The links I have posted refer to MySQL. It is a very popular Database server and integrates well with Java. You shouldn't have any problems finding tutorials or any kind of help with MySQL.
Also have a look at JAAS to restrict access to your services (e.g. based on roles).
Md5 is a one way hash algorithmic you cant decrypt it back , best way is to compare the encrypted string to validate things
Does this help:
Java - encrypt / decrypt user name and password from a configuration file
Does google provide a Java server side api **(NOT java script).**I dont want the ajax api which works at clint side.
What i want is that the result returned for a keyword should return me search result in some specific data structure.Like List or set data structure.Then i want to manipulate the result according to my need in java code.
I had used such a java server site api for youtube.
They used to but is discontinued. Most likely because you can remove their ads ;-)
From Google's terms of service
You may not send automated queries of any sort to Google's system
without express permission in advance from Google.
So, no - use their AJAX API. The SAOP API is discoutinued, but I think you should be able to use it, unless it requires a key, in which case you are tied to the AJAX API
Technically, the statement quoted above doesn't mean you can't use some sort of server-side API - there are examples of that if you google around. It means you shouldn't do it, because sooner or later you will be blacklisted (banned), as violating the terms.
What you would be looking for now is the CustomSearch API:
They used to have a different API developers could use but it has been depreciated (Nov. 2009 I think) so this is a for cost service now. I am not aware how long it might have been a free service. The new API allows 100 free searches a day, but you have to be signed up for billing else anything above 100 searches will fail, here are the details:
http://code.google.com/apis/customsearch/v1/overview.html
And sorry yes, this would still be using Java Script but you could use this:
http://www.json.org/java/
There is at least a SOAP API that I'm aware of: Google SOAP Search API
I don't think Google wants 3rd parties to use their search engine for their own services/applications. You would get "we think you are a robot" error page as a result if Google thinks you are not a real person.
You can however try Google Custom Search