In an android application, what are some of the best practices for session management?
In my case, I am using Active Directory to authenticate users. I was thinking of storing a last_authentication_time variable on the phone, and requiring the user to log in after a set amount of time. If the user hasn't passed that time period, skip the log in screen. Otherwise, force the user to log in.
Is there anything wrong with this? It seems pretty simple, I just want to be sure to do this the 'proper', secure way.
Yeah its a simple concept although i don't see the point in it, the user either wants to stay logged in or input the password, why would inactivity force the user to enter a pass?
as for a secure way you can either use some kind of encoding (preferably sha1) to store an encoded version of the password in shared preferences or use the account manager as a more secure way of doing this. its a lot more complicated than shared preferences but its also a lot better, search google on how to add an account in the account manager.
Hope this helps.
Related
I am using LibGDX and for the Android version of my game I use the "Get Accounts" permission to identify a user by their Gmail address.
Is their a similar way to identify a user for iOS?
According to the App Store Guidelines, you shouldn't get user's personal data without obtaining the user's prior permission. The only identifier you can use anonymously is identifierForVendor:
UIDevice.currentDevice().identifierForVendor?.UUIDString
This identifier is common for all your apps on the user's device. If all the apps were deleted from the device, the identifier may change. More.
Your best bet is to use GameCenter on iOS for identifying the players. This link provides a little more info on handling users with GameCenter.
According to Apple, you shouldn't identify your users, unless you have a good reason to do so.
Like #Marat said, what you are looking for is the UUID,
but keep in mind that this value may change (for example, if the user delete your app and have none of your other apps).
A possible solution would be to keep the UUID value in the keychain, and that way you will always use the same value.
Edit:
Since your app is a game, you can use Apple's GameCenter.
This will identify the users for you.
I have an Android app, and I would like to make something like a wall that everyone can post on. This should not be something very stressful, so I wanted a free option to make it 24/7 and gDocs came up in my mind. But I would need use it "undercovered" so people can't mess it up. So, I think I have to login with the admin account and manipulate all the creation and update without the user intervention, just display the fields I need. So, can I login to a specific gDocs account by code, or I always have to use the user account?
I know it's not the best option, but it's an free app, and I don't wanna have any cost with this. Also, I didn't start the development yet, just want to know if it is possible.
Thanks
You can log into gDocs with any account you have user and password to.
remember that you have to store the password of that account inside the app (unsafe)
I would recommend you a free webhost with mysql and query a html-request to a php-document for posting on your wall. There you can controll every post with php. reading posts goes over another php-document. Since you define the format, you can have a website showing your wall and android gets a csv containing only data.
I have got a suggestion to restrict an Android application to be installed a limited number of times, let's suppose three times for a given user account. I have already inserted a form at the start of the application which checks for username and password from our database, and returns whether its valid or not.
Next I have to apply a trick to prevent this application from being installed more than three times by each user. I hope it clears what I am trying to do. Any ideas what to do and how to proceed?
By no means you can restrict user to not to install your application from google play.
Have a install_count column in the user table in your database. Each time the user fills out form, check for the install_count value, if it is equal to 3, then don't allow the application to continue, you can show a message like "max installs exceeded" and exit the app. Otherwise, increment the install_count value in the db for that user.
PS: As Zoombie said, you can't stop the user from installing the app, but you can restrict the user from running the application if installation limit exceeds.
Also you need to be aware, there are many apps which take a back up of the installed app and data that can be restored back anytime. More over, if the user changes his device more than thrice, he won't be able to run your application. So consider the drawbacks of this limitation.
Technically this isn't a very difficult problem but the issue of user relations will be difficult to manage. You should provide a simple and easy mechanism for your users to "reset" their install count. Additionally you need to inform your users of this restriction BEFORE they pay for your app.
Restrictions like this will result in problems in a few cases I can think of:
What happens if a user factory resets their phone and then re-installs the app?
What if the user installs a custom ROM or gets a new phone?
Are you going to deny a paying customer the ability to install an application that they paid for? Poorly enforcing a policy like this will only hurt you in the long run as it will result in
very bad reviews of your app
piracy of your app with the checks removed
Remember people are downloading/buying your app because it provides something to them and with that they assume that they'll always have access to your app. As soon as you start denying functionality or violating their assumptions you're going to start alienating your customers.
I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can't find a good reason to use it myself.
I don't want other applications to have access to the Accounts and I don't really want them showing in the "Accounts and Sync" settings (although maybe that's not a big deal).
So my question is: should I use it? Pros/cons? Can I hide the Accounts from other apps and stop them from appearing in "Accounts and Sync"?
This accepted answer to this question would probably help you...
What should I use Android AccountManager for?
It should also be pointed out, as mentioned in the above post and also in AccountManager without a SyncAdapter? , that you can't have an AccountManager without a SyncAdapter, so its probably not good to use this for your particular situation.
I can't see any reason to use an AccountManager specifically for storing this type of information - at the end of the day, its no different to manually storing the data yourself in your own database or file. If anything, it probably complicates things - why don't you just store it in SharedPreferences?
The only reason I could think of that would encourage the use of AccountManager would be if you want to share your account across a number of different apps, as the data is stored in the central Android datastore which can be accessed by all apps. However, if this isn't required, I think its probably easier and simpler to just use SharedPreferences
Overview
Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB.
A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.
But even the AccountManager is not fully secured in case of lost phone for example, see this for more info.
Good practice(s)
I would recommend to use the AccountManager and not store the password in clear but the hash.
And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token.
Not good
Do not store a clear or even hashed password as a file or in a DB accessible by anyone.
Never store a clear password but always work with a hash instead.
See also
What protects Android AccountManager passwords from being read by other apps?
http://developer.android.com/training/articles/security-tips.html#Credentials
I'm working on an app that requires users to register in order to use the features.
I need to ensure that users are who they say they are so I want to use some type of verification process, e.g. email or text verification.
The best solution would be to receive a text or email after registration with a code. This code can then be entered into the application to verify the login.
I know of GMailSender but that is as far as my knowledge would go for this type of situation.
I have no idea where to start with this and have researched a lot.
Any help would be great
Thanks :)
Manually entering a code received by email would be annoying for users and they are highly likely to abandon a process that forces this upon them. Also from experience, emails are so often caught in spam traps and not received.
You should make it as easy and non intrusive as possible.
e.g
Use the device's built in Google account to register with your server (after obtaining user permission of course).
On the server side perform the registration and return a code to the app.
Use the code returned by the server directly in the app to enable whatever features you see fit.
The above example would be a one click process and would require no manual code entry.