1

I'm building a little android app that will connect to a server.

My app would use a simple post to send a message to my server, and I'm using Google Cloud Messaging for the server to send a message to my app.

I built a registration page, an email confirmation and a connection page but now I wonder how to lock the communication between the server and the app.

This is the protocol I have in mind ( let's take the simple exemple of app to app message) :

  • App send post infos to the server with self infos (like name and auth_token), destination user and the message
  • Server search the apps which belong to the destination user and use curl to forward the message to GCM
  • GCM send the message to the destination apps

How can the server be sure that the name, auth_token etc the server receive are really from the sender ?

Dan Chaltiel
  • 7,811
  • 5
  • 47
  • 92

2 Answers2

1

Let the server generate the authentication token when the client is doing the registration and send this back to the client. The server now knows the [client - token] mapping.

Every time the client wants to send a message, it also sends the authentication token which the server can look up and check. The client does not even have to send his or her name, the server should know this.

To prevent MITM attacks, use a secure connection (HTTPS).

Daniel Olsson
  • 698
  • 1
  • 6
  • 18
  • But if I don't want the user to enter credentials for each message sent, then I should store those credentials on the phone, which seems not a good idea, no ? – Dan Chaltiel Nov 02 '15 at 18:04
  • Why not? I designed my API with [this SO answer](http://stackoverflow.com/questions/15602667/possible-approach-to-secure-a-rest-api-endpoints-using-facebook-oauth) in mind – Daniel Olsson Nov 02 '15 at 18:29
  • because the password would be stored in plain text, so anyone with a rooted device (like me) is basically showing their password to the world... see this SO answer : http://stackoverflow.com/a/786588/3888000 – Dan Chaltiel Nov 02 '15 at 21:31
  • What I am suggesting is what he says in his post "If possible I'd consider modifying the server to use a negotiated token for providing access, something like OAuth.". Don't store a password there, just an authentication token (which basically is a password). But basically, yes, as you are saying, anything stored locally is in some way accessible. – Daniel Olsson Nov 02 '15 at 21:43
1

Although there are lots of solutions to secure the connection, when you are using GCM for your downsteam messages, I recommend using the new Google Cloud Messaging API which supports Upstream Messaging (from client to server). It is very fast, reliable and secure. Here you can find the docs

You should only change your server side from HTTP to XMPP.

Here you can find the docs.

Ali
  • 539
  • 4
  • 18
  • I'm really not a pro so this seems a little complicated for me, but I'll give it a try, thanks ! (PS you gave twice the same link) – Dan Chaltiel Nov 02 '15 at 18:04
  • @DanChaltiel thanks, I edited the post and make the links correct. – Ali Nov 03 '15 at 10:20
  • I think my head will explode before I can use XMPP. I managed to install a XMPP sever on my raspberry pi that works well with pidgin, but didn't find any android sample of working code. Everybody says to use Smack, but there is no updated documentation anywhere. Could you help me ? – Dan Chaltiel Nov 15 '15 at 13:36
  • @DanChaltiel Please note that there is no change needed for your client side. you can use [google docs](https://developers.google.com/cloud-messaging/android/client) for client implementation its the same for both HTTP and XMPP. But for upstream messages here are the [docs](https://developers.google.com/cloud-messaging/upstream). – Ali Nov 15 '15 at 14:41
  • @DanChaltiel Also you can find the official google sample app [here](https://github.com/google/gcm/tree/master/samples/android/gcm-demo) – Ali Nov 15 '15 at 14:47
  • Thanks for answering, but I don't understand how can I use the same protocol I wrote with XMPP without tools like Smack. I mean my client (android app) should be able to send a XMPP stanza to my server, like said [here](https://developers.google.com/cloud-messaging/upstream), for it to transfer to GCM no ? If no, could you edit your answer and write some protocol like I did ? It would really help me ! If my client android app still use a post HTTP request to send data to my server, then I don't understand the use of XMPP... – Dan Chaltiel Nov 16 '15 at 18:42
  • @DanChaltiel yes, your client can send upstream messages, without any POST resquest. now please tell me what do you want to know? – Ali Nov 19 '15 at 03:48
  • Please see my new post, as the question is about another subject : http://stackoverflow.com/q/33826148/3888000. Thank you very much for your help – Dan Chaltiel Nov 20 '15 at 11:57