20

I'm writing an Android application which has a server connection. I would like to authenticate the app's user on the Android device and let the server know this has been done.

Assuming the user has:

  1. entered his/her credentials in the Android device for Google and Facebook (these are the ones I'm currently interested in)
  2. allowed the application to use the stored credentials on the Android device
  3. the application acquired the details (account user and token) from Android's AccountManager successfully

I would like now to correctly and securely let the server know the app on the device has authenticated the user. How can the server validate that this isn't bogus? Is there a way to validate a token with Google and Facebook on a server without requiring user interaction?

Thanks.

gnobal
  • 18,309
  • 4
  • 30
  • 35
  • 2
    Any progress on this? I am looking into something similar. – Prateek Jain Mar 24 '11 at 05:30
  • 6
    Not really. For now I postponed messing with this, but I think the key you get from the phone's AccountManager can be used on the server to validate its authenticity against Google's (or Facebook's) services, but I'm not sure: http://code.google.com/apis/accounts/docs/OAuth2.html#IA – gnobal Mar 24 '11 at 13:24

3 Answers3

1

you should take a look at this question: Generating Device-Specific Serial Number

you can take the account name based on the service it uses, like:

AccountManager am = AccountManager.get(this); // "this" references the current Context

Account[] accounts = am.getAccountsByType("com.google");

but you must declare it in manifest and ask the user to validate the permission.

Community
  • 1
  • 1
Matteo Bononi 'peorthyr'
  • 2,170
  • 8
  • 46
  • 95
  • Thanks, but I was looking for a secure way to do this, and any solution that generates device-specific IDs is vulnerable to ID spoofing. We ended up doing a 3-legged sign in process. – gnobal Jan 22 '13 at 19:07
0

Although, it might not be a good idea to use your retrieved token and save it, or transmit it to your server, there might be other ways to let your server know that the authentication has completed.

It might not be a fill-proof method, but depending on your use-case, it might work.

  1. AccountManagerFuture interface has a callback isDone(), which says that now you can retrieve your token. That, essentially means, that the authentication has happened, after the user has given the permission for your app to use a specific account.

  2. Else, if you are using AccountManagerCallback for your code, you can know, in code, that authentication has happened, right after you try to retrieve the token for the account.

In either of these cases, you would then have to make a call to your server, letting it know that authentication has happened. I don't really know if you need to send out the token to your server also. But, if you wish, I guess, you could do that.

Kumar Bibek
  • 9,016
  • 2
  • 39
  • 68
  • Thanks for the answer, Kumar. What we ended up doing was a custom 3-legged authentication, where we use a small AppEngine instance that our server communicated with over a trusted channel. In Google I/O 2011 they mentioned this as a way to do it. As far as I know there isn't a supported way. – gnobal Nov 02 '12 at 13:30
  • @Kumar i have one doubt regarding this if user will authenticate and sync once on device and than change the password going through the PC then also will it give the success scenario?? – Piyush Agarwal Dec 22 '12 at 22:15
  • The old token would expire eventually, and it would ask the user to update his password. So you wouldn't need to do anything extra. This will be taken care by the account manager automatically. – Kumar Bibek Dec 23 '12 at 04:52
0

There are a few ways to do this while attempting to make sure its not 'bogus'. One, on initial authentication (where you get the users account info), get their device ID as well as their location (not precise location, but using their IP address you can get a region of sorts). That way, if someone were trying to authenticate with false credentials, it would stop them. I recommend letting the actual user know that someone is attempting to do this by sending them an email. You could also on initial authentication have the user set up a pin or password, which is then saved on the device. Send a hashed version of the pin to the server and check that every time the user authenticates.

I could be completely off by what your trying to accomplish as the description is more psuedo than anything, but i hope this helped

Shaun
  • 5,483
  • 10
  • 40
  • 49