1

This might have been duplicate, as there are many similar question on SO, but I haven't find my answer on any of other questions..

I have an Android/iOS client apps and a server that provides resources to the client apps. Client communicates with server via REST api. Android/iOS app requires logged user for it's work.

My (wishful) scenario is:

User opens Android app for the first time. User enters his credentials (username, password). App checks credentials with the server and if everything ok user enters the app, app now has all permissions to get user resources and to send updates to/from server etc. User should not need to reenter his credentials ever again (or at least not for a long time).

How can I make this scenario secure?

I am investigating OAuth 2.0 and other token based authentication methods/protocols, and there are some things I don't understand:

If Android client is not considered safe place to store any secret - how can I keep any token (access or refresh) for a long time without user being forced to reenter credentials?

Cœur
  • 37,241
  • 25
  • 195
  • 267
daneejela
  • 13,081
  • 7
  • 38
  • 50

1 Answers1

1

As you mentioned, OAuth 2.0 is the standard way to secure your resources/APIs. You can check official standard implementation, or quick tutorials like this. That should give you an idea of the flow.

As you have your own OAuth server, you can check server libraries to use based on your server side language.

Yes, storing secret at client side is not fully reliable, hence its advised to use HTTPS to communicate with your server and that the tokens have expiration, and advised to store in SharedPreferences for Android and Keychain for iOS. In addition, you should also consider strongly encrypting(may be "multiple encryption") your token stored in mobile app. its up to your idea how you encrypt and what encryption key to use.

Community
  • 1
  • 1
Sravan
  • 578
  • 1
  • 8
  • 20