1

I implemented Endpoints with Oauth2, and I am not happy with it. I look at some random game from Storm8, and they don't require the user to log in, and asks almost no permissions. Then I look at my game and I see lots of potentially dangerous permissions, and even that is not enough: in game it asks me to "know who you are on google". And I am not a big company, just a small developer, so people will wonder if I am not trying to hack them. And all I need is to know the user ID, and to know that this is really the user from the request. I think it is unacceptable.

I decided I will not use the authentication promoted by Google, and use my own instead: I'll give unique ID to user, and random password, and allow to change them (or not, if they do not log in from different devices). I'll store login / pass in shared preferences and send them in every request. So I have following questions that are very essential for me and I'll be very grateful for answers or hints:

1) Is there any strong reason not to go this way? I will be able to greatly reduce amount of permissions, and improve user experience.

2) I belive all the communication between android application and endpoint is via HTTPS by default, am I right?

Community
  • 1
  • 1
user2855896
  • 270
  • 2
  • 11

2 Answers2

2

Google specifically created an OAuth verification only service which allows you to secure your calls to a Google App Engine Cloud Endpoints without asking the user for any special permission to their account. This allows you to automatically secure your connection to the server and then you can proceed with using any login setup you may want (although note that Shared Preferences are not necessarily the best place for sensitive log in information).

ianhanniballake
  • 191,609
  • 30
  • 470
  • 443
  • Thank you very much for your input. Still, from your link "offers a good solution to this problem, based on the use of **Google Accounts**". And "if someone has installed your app and given it permission to [...] know your identity" are the problems here. What is a better place than Shared Preferences? – user2855896 Jan 04 '14 at 09:34
  • You should reread the 'Magic Happens' section: "Normally, when you ask for an OAuth token, the person using the device sees a challenge, asking them if it’s OK to use their identity to get at some resource or other. But in this case, the system looks at the server-side Client ID in your scope argument, notices that it’s in the same project as your Android app, and *gives you the token without pestering the user* ; they’ve already agreed to a relationship with you, the developer who controls that project." - users don't give any permission beyond installing your app. – ianhanniballake Jan 05 '14 at 03:17
  • Actually, I did something wrong and thats why my app asked the user for permissions inside the app. – user2855896 Dec 13 '14 at 00:04
0

1) You should never "roll your own" security if you can avoid it. The issues are many, varied, and subtle. You should use the security mechanisms provided to you by Google (or another trusted party) -- their engineers are far more educated and experienced in this field than us mere mortals.

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

There's a reason Google uses OAuth2 (emphasis on 2) -- flaws were found in the original version. If the very best experts working together (it is an open standard) can't create a perfect authentication mechanism, it's unreasonable to expect that you (or I, for that matter) can do better.

One of the little side benefits of using Google's authentication is that you don't have to store the user's credentials. This makes you immune to having user credentials stolen by a hacker and even simplifies your personal "privacy policy".

2) Yes, I believe that all App-Engine endpoint calls are made over SSL though I am unable to find an official confirmation of this. I actually stumbled upon your question while searching for exactly that.

Community
  • 1
  • 1
Brian White
  • 8,332
  • 2
  • 43
  • 67
  • "You should never "roll your own" security if you can avoid it." - Yeah right. Tell that to WhatsApp who became enormously successful by eliminating the requirement to know virtually anything about the user. Looks like the "mortal" WhatsApp developer beat the crap out of the "immortal" Google developer. – Johann Feb 26 '14 at 08:27
  • Success with a good idea is not at all related. Identification is not security. WhatsApp did identification. If you don't want security then things are easy. If you do want security, don't think you're smarter than the experts. Being good at software is meaningless because software is about making sure that it does what you intend while security is about making sure it doesn't do what you don't intend -- a much harder problem. – Brian White Feb 26 '14 at 18:34