Just out of curiosity, have you looked at implementations of OAuth on
Android...?
kris
On Fri, Dec 14, 2012 at 5:12 AM, Rajiv Yadav <rajivyada...@gmail.com> wrote:
> Hi all,
> I have an easy and basic approach for doing this:
> .
>
> 1. getKey(uuid, timestamp)
> It will call the server and get a tempary key and service will store
> uuid and timestamp, and key
>
> 2. Login(encrypted-key,username,other credentials....)
> password will encrypt the key by MD5 and send it back to server
>
> 3. Server decrepit the key with password available on server. if key
> matched a authentication token will be generated and stored on table and
> returned back.
>
> 4. We will save the authentication token in our preferences
> and in further requests authentication token will be send
> for authentication.
>
>
>
> Is it a good approach or you have any thing more secure and easy. please
> suggest
>
>
> On Fri, Dec 7, 2012 at 8:08 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>
>> On Fri, Dec 7, 2012 at 5:45 AM, sampath premarathna
>> <sampathpremarat...@gmail.com> wrote:
>> > But in your solution anyone in the middle can get that token also,so he
>> can
>> > intercept and change the request no?
>> You would run your application over VPN or SSL/TLS. The token is large
>> and random (96-bits or 128-bits), so it can't be effectively guessed.
>>
>> I've also seen static tokens (tokens that are easy to predict or don't
>> change over protocol runs). For example, something clever like
>> device's UUID. Those apps get kicked too because the attacker can
>> guess the token, and we should not be tracking users based on UUIDs.
>>
>> Jeff
>>
>> > On Monday, November 5, 2012 11:52:17 PM UTC+5:30, Jeffrey Walton wrote:
>> >>
>> >> On Fri, Nov 2, 2012 at 12:06 AM, Rajiv Yadav <rajivy...@gmail.com>
>> wrote:
>> >> > Hi i am developing an application which uses restful services. (near
>> >> > about
>> >> > 30 restful methods some are using "get" and some of are "post")
>> >> > It is working fine but in each call throughout the application i
>> need to
>> >> > send some secure data (like username, password in some encrypted
>> form).
>> >> >
>> >> > my question is is there any secure way for this? please suggest
>> >> Yes. You login into the application once with a {username, password}
>> >> pair. You never use the {username, password} again in a request (until
>> >> the server expires the session). If the server expires the session,
>> >> then you have to log in again. In return for a successful log in, you
>> >> get a token to use on future requests. This is coarse grained
>> >> entitlements (can you use the application?).
>> >>
>> >> When a request arrives at the server for services, the request
>> >> includes the token. The server provides the mapping between
>> >> token->user. This is fine grained entitlements (can the user access
>> >> the resource?).
>> >>
>> >> If I see a web app cross my desk that uses {username, password} in
>> >> each request, then I boot the application immediately. Just giving you
>> >> fair warning here since I'm not the only guy who will deny such an
>> >> application.
>>
>
>
>
> --
>
> *Thanks & regards,
> Rajiv Kumar *
>
> *Mobile* +91 9582557400
>
> *Email* rajivyada...@gmail.com
>
>
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> android-security-discuss+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to android-security-discuss@googlegroups.com.
To unsubscribe from this group, send email to
android-security-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
