I have submitted an app to Amazon for approval, they came back with this:
"This app appears to be sending unencrypted, sensitive information. In this instance, the E-MAIL and PASSWORD, is being sent in clear text. Please update the app to encrypt all sensitive information."
On the server side, I encrypt the password in my database using the sha1() PHP method (pretty standard). I am assuming they want the password/email String that Java passes to be encrypted while in transit to the web service. I assume? If this is the case, I need to decrypt the data (specifically the email because this needs to be stored in my DB in plain text.
Has anyone seen this Amazon inquiry before? And is my explanation of it correct? And if so, is there a way in Java to temporary encrypt data while in transit?
Here is a sample in how I do it:
insertParam = new ArrayList<NameValuePair>();
insertParam.add(new BasicNameValuePair("Email", Email));
insertParam.add(new BasicNameValuePair("Password", Password));
insertParam.add(new BasicNameValuePair("Username", Username));
try {
HttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(url_select);
httpPost.setEntity(new UrlEncodedFormEntity(insertParam));
HttpResponse httpResponse = httpClient.execute(httpPost);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
EDIT:
Looks like HTTPS is the way to go.
Amazon's requirement seems somewhat conservative, but could be best met by connecting to your web service via HTTPS instead of unencrypted HTTP. This is exactly what another StackOverflow user did in the end: Amazon AppStore Submission Failed: "Sensitive information like password is echoed in clear text without encryption"
While you could encrypt the data in your app, send it over the internet, and decrypt it on your server using a shared key, this is vulnerable to attackers that decompile your app to get the key.
Alternatively, you could generate a key pair, include the public key in the app and encrypt data with that, send it over the internet, and then use the private key on the server to decrypt the incoming data, but you're basically just re-implementing HTTPS manually.
At the end of the day, the "right" way to implement Amazon's requirement is to use HTTPS. Anything else is likely to be difficult to implement securely.
Related
I want to send an sms that contains arabic letter but when I send the sms. It is being sent like this: ???????
Is there any solution to this problem?
Thanks.
Code:
try{
String twilioSID="AC2be050f87d26aa4b44186c50f6e610e2";
String twilioSecret="abc123";
String urlStr = "https://api.twilio.com/2010-04-01/Accounts/"+twilioSID+"/Messages.json";
HttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost(urlStr);
String base64EncodedCredentials = "Basic "
+ Base64.encodeToString(
("AC2be050f87d26aa4b44186c50f6e610e2" + ":" + "abc123").getBytes(),
Base64.NO_WRAP);
httppost.setHeader("Authorization", base64EncodedCredentials);
String randomCode2 = UUID.randomUUID().toString().substring(0, 5);
String getmob = getIntent().getStringExtra("mob");
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
nameValuePairs.add(new BasicNameValuePair("From", "+1334254136528"));
nameValuePairs.add(new BasicNameValuePair("To", getmob));
nameValuePairs.add(new BasicNameValuePair("Body", "كود السحب على الهدية \n" +
"("+randomCode2+")\n" +
"احتفظ بيه"));
try {
httppost.setEntity(new UrlEncodedFormEntity(
nameValuePairs));
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
Twilio developer evangelist here.
There are a few things I need to tell you here.
First, please never share your Auth Token publicly. With your Account SID and Auth Token a malicious user could abuse your account. I recommend you immediately change your Auth Token to avoid any attacks.
Next up, you have tagged this Android, so I assume you are doing this in an Android application. You should not make calls directly to the Twilio API from an Android application. This is because to do so you need to include your Auth Token. In this case a malicious user could decompile your Android app and extract your Auth Token and use it to abuse your account. Instead, you should build a server application that can store your credentials and make requests to the Twilio API. Here's a blog post on how to send an SMS from Android with Twilio.
Finally, for when you come to build your server side integration to Twilio, you are using the wrong API endpoint. The URL you build up is:
String urlStr = "https://"+twilioSID+":"+twilioSecret+"#api.twilio.com/2010-04-01/Accounts/"+twilioSID+"/SMS/Messages";
This is using the very old and deprecated /SMS/Messages endpoint. Instead, you should be using the more recent Messages resource, with a URL like this:
https://api.twilio.com/2010-04-01/Accounts/{AccountSid}/Messages.json
The /SMS/Messages endpoint did not handle characters outside of ASCII, but the Messages resource can handle any unicode characters.
Since you will be building a server-side integration, I can recommend that you use one of the Twilio helper libraries which make it easier to make requests to the right resource.
I have a java/j2ee web application consuming SP web services but recently the SP site got migrated to 2013 and deployed in cloud/office 0365 due to which authentication got broken. SP people suggested to change authentication mechanism to SAML token based authentication and use Microsoft Azure AD. So i on boarded my application into Azure and received Client ID, Authority using which i am able to generate security token(used adal4j java api) . Now i need to complete below 2 steps to complete the authentication process in office 0365 to access SP 2013 web services.
Get access token cookies
Get request digest token
But not able to find any java based API for above 2 steps. Refereed below tutorial buts its something related to aps/.net
http://paulryan.com.au/2014/spo-remote-authentication-rest/
Please help me in providing sample code base for the same.
Appreciate your support
So you used Microsoft Azure Active Directory Authentication Library (ADAL) for Java?
In which case, have a look at AAD Java samples.
You want the ones that consume a Web API.
Per my experience, I think you can try to directly follow your refered article step by step to use the Apache HttpClient to construct the request.
For example, the code below is using the HttpClient to do the post request with the xml body to get the security token.
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpPost httpPost = new HttpPost("https://login.microsoftonline.com/extSTS.srf");
String xmlBody = "...";
InputStreamEntity reqEntity = new InputStreamEntity(
new ByteArrayInputStream(xmlBody.getBytes(), -1, ContentType.APPLICATION_OCTET_STREAM);
reqEntity.setChunked(true);
httpPost.addHeader("Accept", "application/json; odata=verbose")
httpPost.setEntity(reqEntity);
CloseableHttpResponse response = httpclient.execute(httppost);
String respXmlBody = EntityUtils.toString(response.getEntity());
//Parse the respXmlBody and extract the security token
You can try to follow the code above to get the response includes access token via do the post request with the security token body for the url https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0, and use the code Header[] hs = response.getHeaders("Set-Cookie"); to get the Set-Cookie header array as access token.
Then using them to set the two headers Cookie for getting the request digest token, and parse the response body to extract the FormDigestValue as the request digest token.
I am developing an android app in which, I am sending some text, files to server. I am using JSON to upload files to server. But I want to provide security to upload data. Data should only get uploaded from android device. In my case if I send data using postman it is get uploaded on server.
php developer told me that, "send data in header". I google it and I found some code.
Authentication.java
public class Authentication {
public void AuthenticateData(String url) {
HttpPost httppost = new HttpPost(url);
httppost.addHeader("userId","someName");
httppost.addHeader("secretKey","password");
}
}
And I am using it like this way.
Authentication authentication
URL = "url_to_upload_data";
JSONParser jParser = new JSONParser();
.
.
authentication.AuthenticateData(URL);
.
List<NameValuePair> param = new ArrayList<NameValuePair>();
param.add(new BasicNameValuePair("emailid", emailid));
param.add(new BasicNameValuePair("device_reg", deviceRegNo));
param.add(new BasicNameValuePair("message",message));"));
JSONObject json_Object = jParser.makeHttpRequest(URL, "POST", param);
Is this correct way to do it. Will it be secure?
The problem with your code is that AuthentificateData is not returning anything.
The problem of your approach is that you assume a password can be stored securely on the phone. If you place it in code, even after obfuscation anybody can decompile your sources and read the value.
To provide a secure transfer, you need to use asymmetric cryptography, also refereed as public key cryptography . The public key can be known by anyone and it is safe to store in the phone. You have to protect your server to not leak your private key.
To help in authentication you can also use digital signatures.
You do not have to implement them from scratch. You have here simple examples to get started.
This might be a trivial question but I'm trying to send web request to USPS to get a http post response (or email response depending on my request) containing the tracking information based on the tracking number that I send in. The documentation says the xml needs to appended as part of the url like below
http://secure.shippingapis.com/ShippingAPITest.dll?API=TrackV2&XML=<PTSEmailRequest USERID="xxxxx"><TrackId>xxxxx</TrackId><RequestType>EN</RequestType></PTSEmailRequest>
I saw there were 2 ways to make an xml request, one using HttpPost and the other URLConnection. I'm a bit thrown by how I go about this and I'm failing to appreciate what's the difference between appending xml in the url and a normal http request. Can someone please clear things up for me?
USPS documentation for tracking =>
https://www.usps.com/business/web-tools-apis/track-and-confirm.pdf
I read these related Stackoverflow posts
Java: How to send a XML request?
posting XML request in java
HttpClient httpclient = HttpClients.createDefault();
HttpPost httppost = new HttpPost("http://secure.shippingapis.com/ShippingAPITest.dll");
List<String> params = new ArrayList<String>(2);
params.add(new BasicNameValuePair("API", "TrackV2"));
params.add(new BasicNameValuePair("XML", FuncTOGenerateXML()));
httppost.setEntity(new UrlEncodedFormEntity(params, "UTF-8"));
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
if (entity != null) {
InputStream instream = entity.getContent();
//.....
// .....
instream.close();
}
An HTTP request can use one of several methods, like POST, GET, DELETE, PUT... Here we talk about POST and GET
Technical differences
With GET, the data is retrieved from the parameters in the URL.
With POST, the data is retrieved from the data transmitted inside the HTTP message.
Intended use differences
GET is intended to be used when the request does not cause a change (v.g., searching in Google). Since you can repeat the request without side effects, the data is in the URL and can be stored in the browser history, favorites, etc.
POST is intended to use when you are performing a change (v.g. sending an e-mail, doing a on-line purchase). The data related is not stored with the URL (it is then that, if you go back to a page that was obtained using POST, the browser many times will show you a pop-up asking for permission to send the data again.
In real usage, the distinction is not so clear cut, in particular POST is sometimes used when the data is too large (URLs have limited length). Also, sometimes GET is used with the meaning of POST so the data can be presented as an HTML link.
Finally, URLConnection is the basic API for opening a connection (which you can use as a POST or GET request, based in how you pass the data, or something else) and HttpPost is just a higher level API for creating a POST request. If you go the basic way, use HttpURLConnection better.
I have been trying to understand the postData() method in the following tutorial.
My understanding of the code is:
an nameValuePairs object, which contains some data is being sent over the internet to some web service located at this address: http://www.yoursite.com/script.php which will receive this nameValuePairs object
For example you want to send the age of a person to the webservice.
If you send data via GET the call of the webservice would be like this:
http://www.yoursite.com/script.php?age=18
If you send data via POST the call of the webservice would be like this:
http://www.yoursite.com/script.php
and the key-value arguments are integrated in the data stream of the request
So, to answer your question, no object will be sent,
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(1);
nameValuePairs.add(new BasicNameValuePair("age", "18"));
httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
will integrate the key-value-list to the data stream of the request.
Yes, basically... server gets that name-value pair and can process it as it wants ...
For example when logging into your email account, you are sending two name-value pairs - username=your_username and password=your_password ... after receiving, server checks if username you sent is correct and if the password is valid for given username, and then sends you to your account or throws a message that data you supplied is invalid.
It is not java specific. It is http protocol, that can be implemented in any other language.
If you pass an id in like this,
nameValuePairs.add(new BasicNameValuePair("id", "20"));
In php page, you can get the value like this,
$id= $_POST['id'];