0

I'm making an app on android that allows the user, after having gotten the name and password, modify your profile through a web api rest.

i have established a system to return, once authenticated, a unique security token which will be used to authenticate the user to perform operations (update the profile).

I used an URL like this for the first time which the user have access (login):

webserver.com/?login&user=michael&password=7c4a8d09ca3762af61e59520943dc26494f8941b

Then, if the data are correct, the rest api return an unique token to the android app. The android app store this unique token for make, until the user doesn't close session, the updates of his profile.

I used for updates an URL like this:

webserver.com/?update&token=ee977806d7286510da8b9a7492ba58e2484c0ecc&newname=mathews

Then, when the user close the session (inside the android app), I remove the token from the web server throught another url...

Is this a good system? It's my token "safe"?

I store those url (without the value of parameters) in constants of my android app... It's safe? I can do otherwise?

MartaGom
  • 501
  • 6
  • 27

2 Answers2

1

This question has some very useful answers on how to make your communications safer: How to send password securely over HTTP?

Community
  • 1
  • 1
1

No, this is not safe. Never stuff credentials in the URL as URLs tends to be logged in many different places, leaving the credentials exposed to third party. Use the HTTP body for that sort of thing.

Always use encrypted SSL/TLS to transfer credentials. Or use a crypto system like OAuth1 to avoid sending credentials in clear text. OAuth1 defines a scheme for proving ownership of credentials without actually sending them.

Use the HTTP Authorization header for tokens. Search for "http authorization bearer token".

Jørn Wildt
  • 4,274
  • 1
  • 21
  • 31
  • 1
    Thanks for your answer. With "ssh" you want mean "ssl"? I send the user's password with sha1. If I send my token using http headers... My app will be safe? What do you mean with "as URLs tends to be logged in many different places, leaving the credentials exposed to third party"? Thanks and +1 (your answer is the best right now; may you responde the answer i ask in this comment?) – MartaGom Feb 19 '15 at 08:53
  • The URL "webserver.com/?login&user=michael&password=7c4a8d09ca3762af61e59520943dc26494f8941b" may get logged on the client, in proxies and on the webserver. Those that have access to these machines and the logfiles can read the token (password?) and be able to act on "michael's" behalf. This may also apply to SSL/TLS connections depending on the client/server/network configuration. – Jørn Wildt Feb 19 '15 at 11:20
  • I understand... This Url is usted the first time for loggin. Then the webserver return the token. I should use POST instead GET for the login? I can't understand all... May you provide any example? Lot of thanks – MartaGom Feb 19 '15 at 11:26
  • You really should read up on OAuth2 which is a standard for doing exactly what you want. – Jørn Wildt Feb 19 '15 at 11:36
  • Believed that oauth2 was no credentials (user and password). My system will be unsafe if I use http headers for token and HTTP POST for the login? (Post instead get) – MartaGom Feb 19 '15 at 13:36
  • Please stop "believing" OAuth2 is something and read the spec. If you follow that you do something which will be safe. – Jørn Wildt Feb 19 '15 at 13:56
  • Sorry. I read te spec... But i cant find any example for PHP and android (without libraries). Maybe you have any example? Any recommended tutorial? I want to know how to implement oauth2... But i cant T-T – MartaGom Feb 19 '15 at 14:36