I'm working on an app that requires users to register in order to use the features.
I need to ensure that users are who they say they are so I want to use some type of verification process, e.g. email or text verification.
The best solution would be to receive a text or email after registration with a code. This code can then be entered into the application to verify the login.
I know of GMailSender but that is as far as my knowledge would go for this type of situation.
I have no idea where to start with this and have researched a lot.
Any help would be great
Thanks :)
Manually entering a code received by email would be annoying for users and they are highly likely to abandon a process that forces this upon them. Also from experience, emails are so often caught in spam traps and not received.
You should make it as easy and non intrusive as possible.
e.g
Use the device's built in Google account to register with your server (after obtaining user permission of course).
On the server side perform the registration and return a code to the app.
Use the code returned by the server directly in the app to enable whatever features you see fit.
The above example would be a one click process and would require no manual code entry.
Related
I have an user which has certain limitations on menu items those can be access by user. I am able to restrict user on Ui from performing not authorized actions. I have a problem to limit user on the server side to protect from making it accessible through various rest clients.
EX: item A has only GET api permission and B also has only GET permissions. I am trying to perform POST for A so my concern is how do I ensure that call is for A or item B.
I am using java8 and spark java framework. Please let me know if anyone has a solution for this.
NOTE: Adding authorization for each route separately will not be a good idea so please help to write a common generalize method.
Recently my game has been hacked and one user submitted an impossible score to the server. The score was submitted with a verified checksum, and correct data.
I'm convinced that the user must have reverse engineered my APK file to find the POST request.
Now I wonder what would be a good way to prevent this from happening again and I thought about verifying the SHA1 signature of the app. Maybe this way I can make sure that the app is signed by me, and is not a reverse engineered and changed version of the app.
Would this be possible? Or would there be a better solution to solve this?
I am using LibGDX by the way.
First of all, you really have to obfuscate your code. You can find more information about ProGuard and code obfuscation here.
Second of all, you can use GoogleAuthUtil available in Google Play Services, which is available for devices running Android 2.2 or higher.
GoogleAuthUtil does exactly what you need:
Your client server calls go to Google via a HTTPS request, Google checks whether or not the call is made by an app signed with your release certificate, and then it sends the request to your server.
You can find official tutorials about how to implement this here and official documentation here.
Cheers!
1) Use code obfuscation for ex. Proguard. This kind of tools available not only for Java.
But be careful with that - obfuscated code may work slowly or contain additional bugs.
2) Add App Licencing check (this will check app signature with Google Play):
Watch this video with attention:
https://www.youtube.com/watch?v=TnSNCXR9fbY
As I remember he mention technics used at runtime to verify your app not hacked or modified (zip check, etc).
3) Make sure your app/server use secure connection (SSL/TLS) only with MODERN cipher suites. This will mitigate downgrade attacks.
You can use this generator to build config with MODERN cipher suites for your server:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Also you can use certificate pining on client side - this will mitigate authority attack.
Do not use plain HTTP connection.
4) Use some kind of request signing (like Amazon AWS does)
You can get core idea from their docs.
http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Also this article should be helpful.
5) Prohibit usage of your app on ROOT'ed devices by adding run time check. Because of on rooted phone it's easier to hack or analyze your app.
6) You can decrease fraud by adding some ban system to your online game - if somebody hack your app and send wrong data to your server => add this user to ban list on server side (by IP or by user ID, etc). Probably add users to this list temporary (ex 24 hr, 7 days)
7) + if you are using Json/XML as data formats for network layer try to use binary format like Protocol Buffers. Binary serialization formats more efficient and hard to reverse engineer.
If you want to verify the signature of your app without the possibility that this is cracked too, you would have to upload the whole apk and make the check on a server. This is not a practicable solution.
The only secure android app is a pure terminal app, which means you'd have to do all computing on a server. Most of the time this won't be possible because of latency.
That's why we Android developers have to live with this: an app is not 100% secure.
But you can get close to it.
You might want to read Security with HTTPS and SSL guide for securing your communication.
Also you'll want to ensure your client is hard to crack: android app piracy prevention and Combating Android App Piracy: Xposed
In your case you'll also want to implement server-side request validation:
If you have a game with a server side, users probably have an account. If a user sends a clearly impossible score, automatically disregard the request and ban the user (and his ip). (But also have in mind that this should never happen to a valid request, otherwise users might get angry and stop playing.)
You can obfuscate your code better and use some very obfuscated secret to sign your requests. With that you can increase security.
But if all your game run in client it can't be completely secure. Because it doesn't matter what you use to sign, if you do it in client it means you have the secret or private key in client and then it can be hacked.
To make it more secure you need to involve some game logic in server and then control in that logic that the user isn't cheating.
Verifying the integrity of your app won't be enough, since the request can be easily faked outside the app or modified in memory on the fly, using a rooted android environment. Even more, you cannot totally avoid it.
This is a problem shared by all applications running in a machine out of your control (all client applications). You can't never trust the data coming from them.
As I can see it, you have several choices:
Obfuscate the code and make the app more difficult to be reverse-engineered. Notice that this do not solve the problem, but minimizes it.
Move processing to the server. The more game-play is controlled by the server, the less vulnerable you app would be to this malicious behavior.
Automatically detect impossible scores and close their accounts
Cheers,
I would like to connect a Java application to the Nest-Cloud via the Firebase-Api. The application is as simple as reading the setpoint of a nest thermostat.
I spent a lot of time on developer.nest.com and firebase.com to find the required information, but failed.
What is actually the base url, where the firebase is located? seems not to be home.nest.com
How can I authenticate without user interaction? I tried FirebaseSimpleLogin, but the implementation depens on Android, which is not my platform.
Thanks for your help.
For 1) I don't know for sure, but have you tried https://api.home.nest.com and https://developer-api.nest.com?
2) The user has to authenticate and allow the client you're developing at least once. You'll need to get an authorization code, which you get from the client page on the Nest developer site. The code is six characters I think, and you'll have to include that in your code or assign to a variable and call it.
Take a look at another entry I made. If nothing else, it might help you get a little farther down your rabbit trail.
One of our apps on Android is currently quite vulnerable to IAP hacking. We want to avoid this as this will ruin some network-based systems and also harm our revenue.
We would like to know is there a way to validate the purchase receipt before we give him item. Thank you very much.
Also sorry for my extremely bad english, they may sound rude at some point(someone told me) but I am actually being very polite.:)
The way to do it is to use Purchase Status API
You will do the billing process on the client side, and once done, you will send the token to the server, and then, be able to check the status of a purchase.
If the status is what you expect, then you will enable or send the update to the user.
A bit of background info:
I am building a geolocation based game for Android
The server-side is coded in php
Certain in-game actions requires the client application to send the current latitude and longitude to the server
Is there any way to prevent the user from tampering with the location data being sent to the server?
Please let me know if you need more information
Thank you,
EDIT: I understand there will be workaround to any security measure I implement, but how can I make it harder for users to modify the data being communicated to the server
The short answer is no. They will always be able to fiddle their device or application to send you what they want, because they control it.
Well, to some extent. You could consider using public key cryptography to make sure the message sent from your app has not been modified in between. That will prevent people from using a simple proxy to capture the data you're sending. The easiest way to do this is by using SSL.
What JVerstry means is that you would always be able to modify the app or control whatever the device is telling your app about the location. And no, there is no way of getting around that.