0

I have recently started toying with an android application, and I have gotten to the point where I want it to communicate with a web service, I understand completely how to do this in an insecure way, where I am slightly tripped up is on security.

I want it to work much like the facebook app on my phone does, it is always logged in, never seems to expire.

my first idea was to use User / Pass and save them locally on the phone with SSL encryption. But this can be a security issue with a lost phone being rooted and then people can see the login and pass (even if they are hashed/encrypted, this seems like an issue)

my other option is to use Oauth 1a/2 but this seems to have the same problem if I am not mistaken, except with a auth token, meaning the same problem occurs except at an api layer.

I have also looked into androids accountManager, but I am planning on making this for iOS so I want to use common practices for both.

What do you guys think?

General Questions:

  1. Is refreshing an Oauth token the same as saying logging in again, or is it simply a new Oauth token?

  2. Is there a way to get a unique id from a phone to detect if a "new phone" is in use?

  3. Does anyone know how facebook or google handle their authentication/authorization on their devices? Do they simply just store an authentication token that never expires or when it does expire just issue a new one?

I guess Android apps seem vulnerable to me from a "what if someone found an exploit to pull authentication tokens without root access?" stand-point, am I wrong in thinking this?

Am I also wrong in believing that the only thing that would stop someone from accessing my account via api if they got my token, is if I access and used the api and it updated my Oauth to a new value to make my old one obsolete? (assuming there is no reliable way to tell which device is which)

Krum110487
  • 611
  • 1
  • 7
  • 20

1 Answers1

1

Yes, storing the user/pass on device is out of the question. Take a look at this for a some detail on how tokens work.

What you want to do is get an OAuth token from your server once the user logs in, store it, and use it to sign all your requests. If someone else gets your token, you can invalidate it so they will not be able to do any more requests in your behalf.

In regard to your questions:

  1. Invalidating your token will be similar to login you out. Refreshing (Exchanging the token for a new one) would be like login you in again.
  2. Yes, you can find how here
  3. I have implemented authentication using FB and Twitter on my apps before, and the way it works is, after user authenticates, you get a short time token that you can exchange for a long-lived one. You would then store this on the device and use for future requests. More information here.
Community
  • 1
  • 1
FMontano
  • 907
  • 8
  • 17
  • ok so the idea of the Oauth is not that it is more secure in the sense of vulnerabilities (as user/pass has the same problem), but in the sense that it protects the user's actual username and password, and if it is compromised, you simply renew/invalidate the token. – Krum110487 Apr 03 '14 at 20:15
  • 1
    yes. You don't have to store user credentials, and you don't have to transmit them over the web every time you open up the app. – FMontano Apr 03 '14 at 20:18
  • Take a look at [this answer](http://stackoverflow.com/questions/7561631/oauth-2-0-benefits-and-use-cases-why). You might find it helpful. – FMontano Apr 03 '14 at 20:20