Android Authentication to PHP Server Methods

Question

I have an app that retrieves and submits tickets back to a PHP server. Each user has to log into the PHP server from the app somehow. I've read a lot of different methods in doing this such as OAUTH 2.0, but my question is why it needs to be so complicated? Why can't I just add the username and password (md5 or something) to each HTTP request sent to the server? The server could check that before responding. How is this a security risk?

I'm not sending any sensitive information to and from the server.

Answer 1

An unencrypted md5 hash and username could easily be intercepted by a man in the middle attack and sent out by a 3rd party to login as the user. The point of hashing is to prevent password theft if your server is compromised, sending an unencrypted version could be intercepted and sent as if they were the user. You want to encrypt the entire packet so third parties can't pretend to be the user. I'd look into HTTPS/SSL for that purpose .

Parse's backend simplifies the authentication process quite a bit and may be worth looking into.

For more details on hashing vs encryption and best practices see this question. You'll find a better method of hashing including salting and multiple iterations, which if done correctly can strengthen md5 quite a bit although there are more secure alternatives.

Answer 2

OAuth is great if you want to connect to existing authentication services. This means the users doesn't need to remember a password for your site/app. Consider this is a service to the user. OAuth is not necessarily simpler or faster to implement though. I can imagine that it might seem quite daunting to a novice programmer.

As far as storing passwords goes, md5 is bad, really really bad. https://security.stackexchange.com/questions/19906/is-md5-considered-insecure Essentially, if your database with (hashed) password is leaked attackers can easily compute what the original password is. md5 is simply not strong enough anymore. Maybe 10 years ago it was fine.

Storing passwords properly is quite tricky. Building an authentication system complete with intrusion detection, password storage, password retrieval/reset is a lot of work. Maybe OAuth isn't so bad.