0

So I'm all very new to Java and developing for Android, but I somehow managed to get a successful idToken when logging into my app via Google.

I read on the Android dev site that just ID's are not safe as a modified client could send a fake one and result in impersonation of another user, so I followed their steps to get the user's idToken.

Anyway, is this safe to send over a URL to my server at home? For example, like so (pretend the long string of random text is the idToken of the user):

http://130.155.122.8/api_test/h78e568e7g6589gjkdfhjghdjfkghjkdfhgjkdfhk7hg9867458g74598hg6745896gh49/command

Also, is the idToken even required? Could I just as easily use the user's email address to identify the user (again, it would be sent over an insecure URL, no HTTPS)?

Thanks!

Shane Smiskol
  • 952
  • 1
  • 11
  • 38

2 Answers2

1

Generally speaking - No.

A token that identifies you should never be transmitted over an insecure connection (e.g. http). Since on such connections no encryption is used, a third party can very easily monitor the connection and get your token (leading to the impersonation issue).

IANAE, but any security-relevant data (e.g. idToken or password) should only ever be transmitted over a secure (encrypted) connection (e.g. https).

And using the e-mail address does not solve the issue. You simply replaced one identifier for another one. And if anyone ever were to know a user's e-mail address, he could impersonate said user. Stick to the "documented" authentication techniques. If done right they should be safe.

ksmonkey123
  • 119
  • 4
1

You should use encryption, if someone gets the token from a user they can impersonate that user, in my case, since i can't aford ssl (for now) i encrypt the token using asymetric encryption, and i send it to the server, but ssl is the best way

Tiago Oliveira
  • 1,582
  • 1
  • 16
  • 31
  • Hmm, the asymmetric encryption seems like a good solution for me. Thanks – Shane Smiskol Aug 16 '16 at 22:29
  • Look at this, http://stackoverflow.com/questions/38938950/comunicate-with-backend-server-securely , this is not the best way to do things but it will encrypt the user token, make sure you save the private key on a safe place – Tiago Oliveira Aug 16 '16 at 22:30
  • I'm actually running a Python server. Do you know how to encrypt with Java and decrypt with Python? – Shane Smiskol Aug 16 '16 at 22:36
  • i not an expert on python, in java you can use the same code, python you can look at this http://stackoverflow.com/questions/30056762/rsa-encryption-and-decryption-in-python you need to find a way to use a .pem key on that exemple – Tiago Oliveira Aug 16 '16 at 22:45
  • thats a type of ssl right? we need shell access to install it or am i wrong? – Tiago Oliveira Aug 16 '16 at 23:06