Ah, and indeed, their library for Java works for Android... http://code.google.com/p/oauth-signpost/
Sorry, I didn't mean to derail the discussion on safe protocols but just wanted to provide some perspective on auth protocols that you'll see most people using. (I.e., Facebook, Twitter,..,) It certainly still suffers from the CA type trust issues. Kris On Sun, Dec 16, 2012 at 7:55 PM, Kristopher Micinski <[email protected]> wrote: > No disrespect taken, I just wondered if he'd taken a practical > viewpoint (everyone uses it) to his auth problem. > > I didn't really see any mention of why the OP wanted a more elaborate > approach, and since the aura I pick up from him seems to indicate he > wants a "works with my app" rather than "very secure" solution, he can > probably find OAuth libraries that fit into his app pretty easily. > > I'm not a strong supporter either way, but from a practical standpoint > using OAuth might be a good idea: it all depends on your requirements. > > (For clarity, I'm taking the OP's original email as his point, I > skimmed the others..) > > Kris > > On Sun, Dec 16, 2012 at 6:42 PM, Jeffrey Walton <[email protected]> wrote: >> >> >> On Sun, Dec 16, 2012 at 12:02 AM, Rajiv Yadav <[email protected]> >> wrote: >>> >>> Hi Kris, >>> I tried but oauth but setting up an provider of wcf end was bit tricky >>> for me. >>> I don't know .net much . >>> If you have some sample for Oauth android - wcf integration with own >>> provider plz share. >> >> >> OAuth confers trust to a third party. I suspect it has similar short comings >> that a public ca hierarchy has. >> >> If you chose OAuth, OAuth 1.0 is broken so don't use it. I think you need >> OAuth 1.0-A. There's been some questions on the security of OAuth 2.0 (or >> more correctly, IETF standardization has weakened or removed some security >> properties). Make sure OAuth 2.0 has the properties you desire or require if >> you use it. >> >> No disrespect intended to Kris or the OAuth folks. >> >> Jeff >> >>> On Sat, Dec 15, 2012 at 10:24 PM, Kristopher Micinski >>> <[email protected]> wrote: >>>> >>>> Just out of curiosity, have you looked at implementations of OAuth on >>>> Android...? >>>> >>>> kris >>>> >>>> >>>> On Fri, Dec 14, 2012 at 5:12 AM, Rajiv Yadav <[email protected]> >>>> wrote: >>>>> >>>>> Hi all, >>>>> I have an easy and basic approach for doing this: >>>>> . >>>>> >>>>> getKey(uuid, timestamp) >>>>> It will call the server and get a tempary key and service will store >>>>> uuid and timestamp, and key >>>>> >>>>> Login(encrypted-key,username,other credentials....) >>>>> password will encrypt the key by MD5 and send it back to server >>>>> >>>>> Server decrepit the key with password available on server. if key >>>>> matched a authentication token will be generated and stored on table and >>>>> returned back. >>>>> >>>>> We will save the authentication token in our preferences and in >>>>> further requests authentication token will be send for authentication. >>>>> >>>>> >>>>> >>>>> Is it a good approach or you have any thing more secure and easy. please >>>>> suggest >>>>> >>>>> >>>>> On Fri, Dec 7, 2012 at 8:08 PM, Jeffrey Walton <[email protected]> >>>>> wrote: >>>>>> >>>>>> On Fri, Dec 7, 2012 at 5:45 AM, sampath premarathna >>>>>> <[email protected]> wrote: >>>>>> > But in your solution anyone in the middle can get that token also,so >>>>>> > he can >>>>>> > intercept and change the request no? >>>>>> You would run your application over VPN or SSL/TLS. The token is large >>>>>> and random (96-bits or 128-bits), so it can't be effectively guessed. >>>>>> >>>>>> I've also seen static tokens (tokens that are easy to predict or don't >>>>>> change over protocol runs). For example, something clever like >>>>>> device's UUID. Those apps get kicked too because the attacker can >>>>>> guess the token, and we should not be tracking users based on UUIDs. >>>>>> >>>>>> Jeff >>>>>> >>>>>> > On Monday, November 5, 2012 11:52:17 PM UTC+5:30, Jeffrey Walton >>>>>> > wrote: >>>>>> >> >>>>>> >> On Fri, Nov 2, 2012 at 12:06 AM, Rajiv Yadav <[email protected]> >>>>>> >> wrote: >>>>>> >> > Hi i am developing an application which uses restful services. >>>>>> >> > (near >>>>>> >> > about >>>>>> >> > 30 restful methods some are using "get" and some of are "post") >>>>>> >> > It is working fine but in each call throughout the application i >>>>>> >> > need to >>>>>> >> > send some secure data (like username, password in some encrypted >>>>>> >> > form). >>>>>> >> > >>>>>> >> > my question is is there any secure way for this? please suggest >>>>>> >> Yes. You login into the application once with a {username, password} >>>>>> >> pair. You never use the {username, password} again in a request >>>>>> >> (until >>>>>> >> the server expires the session). If the server expires the session, >>>>>> >> then you have to log in again. In return for a successful log in, >>>>>> >> you >>>>>> >> get a token to use on future requests. This is coarse grained >>>>>> >> entitlements (can you use the application?). >>>>>> >> >>>>>> >> When a request arrives at the server for services, the request >>>>>> >> includes the token. The server provides the mapping between >>>>>> >> token->user. This is fine grained entitlements (can the user access >>>>>> >> the resource?). >>>>>> >> >>>>>> >> If I see a web app cross my desk that uses {username, password} in >>>>>> >> each request, then I boot the application immediately. Just giving >>>>>> >> you >>>>>> >> fair warning here since I'm not the only guy who will deny such an >>>>>> >> application. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
