0

Background

Reading these articles http://developer.android.com/google/auth/http-auth.html and http://android-developers.blogspot.cz/2013/01/verifying-back-end-calls-from-android.html and some other responses on so like Oauth 2.0: client id and client secret exposed, is it a security issue? and client secret in OAuth 2.0 I realized that it is not worth authorizing my rest api using a token received from Google Oauth. Anybody can fake it (doing his own app and getting the token) as the attackers can get the Client ID from a decompiled apk. I see as the only way of securing the app to use the app's unique name on Google Play.

Question

Is it possible to resstrict the call to Google to obtain the security token to the app's unique name on Google Play?

Community
  • 1
  • 1
Amio.io
  • 20,677
  • 15
  • 82
  • 117

1 Answers1

0

Get oauth token from google.

  1. Rule of security don't invent your own security. Use an established library for the handling of security.

  2. Rule of security don't save (persist) security tokens in your program. Get another one when you need it.

    return GoogleAuthUtil.getToken(mActivity, "me@example.com", "oauth2:http://www.example.com/data/");

http://developer.android.com/google/auth/http-auth.html

danny117
  • 5,581
  • 1
  • 26
  • 35
  • Hi Danny, ad 1) I don't want to reinvent wheel. ad 2) I don't understand. If some just decompiles the apk and takes "me@example.com" and "oauth2:http://www.example.com/data/". He can make his own app, login with his own google account and exploit our database. Or can you please explain how is the oauth preventing it? – Amio.io Oct 16 '14 at 05:17
  • Once that rogue user has sent this own credentials, you have a claim that he is xyz person from a site you've decided to trust, Google, nothing more. It is still your responsibility to verify the claim (using an established library) and then grant access or not. Usually you will keep a table of allowed id's for your app. So you get an access_token from Google, you go to the tokeninfo page, get back username, email, id and so on, and then confirm that you have allowed that id access. – Philip Nelson Oct 22 '14 at 11:24