1

I'm publishing my first android app and I have doubts about security with the server.

I followed the tutorial to add security in the HTTP header using sha1, everything went well.

Tutorial

The problem is that the server has to know the password of the user, the client has to send it securely.

Do I have to configure the server with https for the first time the password is sent? should I always use https and forget about http headers?

Is there another secure alternative to https for secure password sending?

I am confused in these basic concepts ....

I need to introduce some security so that the url can not be used by others. It is not a user password, it is a unique string that I send to compare on the server and discard or accept future requests. Thank you.

Apyc
  • 307
  • 5
  • 12
  • Did you take a look at Oauth2? – Chris Gomez Oct 02 '17 at 19:11
  • I understand that it is to give access to third parties. I do not need it, I only have one client and one server, I need to know how to register (send the password) safely. I understand that all requests have a key in the header with some encryption method, but I am interested in the first communication, in which the password is sent securely. – Apyc Oct 03 '17 at 06:22
  • Do always use HTTPS. – Narf Oct 03 '17 at 12:08
  • Great narf, I did it as you tell me. – Apyc Oct 03 '17 at 18:17

1 Answers1

0

Do always use HTTPS: Narf

1 - add https to server (ubuntu 14.04, e2c Amazon), with a new unsigned certificate

https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

2 - Connect to server from android whit unsigned certificate

https://developer.android.com/training/articles/security-ssl.html#SelfSigned

And resolve the authorization error:

OkHttp trusting certificate

The example of Google is fine, but an image is downloaded and we are interested in making a request, I have done so:

How to do an HTTPS POST from Android?

To add parameters to the request:

How to add parameters to HttpURLConnection using POST

Works for me

Apyc
  • 307
  • 5
  • 12
  • Take into consideration that later on you do not want to use a self signed certificate but instead use a **real** certificate from a CA service. This way you can trust and accept the certificate without working around the authorization error. – Nico Oct 04 '17 at 12:23
  • Why would he ignore ssl certificates if he can obtain a valid certificate from let's encrypt for free? – Chris Gomez Oct 04 '17 at 17:48
  • I need to encrypt the communication, that I get with an unsigned certificate that is free. The CA certificate costs money and my app has no web interface. I do not need it signed by a CA. I'm wrong ? – Apyc Oct 04 '17 at 18:45