1

I am writing a client application that will run on Android phones that will interact with an OAuth server on the user's behalf. I have the OAuth server side code running on my web server for maintaining the OAuth session details while handshaking with the remote OAuth server. Now I am wrangling with how to best handle the client side considerations on the smart phone.

Let's assume for this question that I have, in the past, received an access token granted to me by the remote OAuth server after they logged the user in and the user granted my application access rights. Let's also assume it is a "good until revoked" access token.

The main concern of course is implementing something that does not leave the user at risk. The simplest method would be to have my web server return the access token to my client code on the smart phone in encrypted form, and simply store that encrypted token in the user's local storage. Or for even tougher security, return my own encrypted unique identifier that my client code on the smart phone passes in with each request. My web server could then decrypt the received ID, and lookup the most recent access token in a local database. This seems pretty secure except in the case of the user losing the phone. I guess I could implement something like the "remember me" option on browser's so if the user does not check it then a new re-authorization session would be triggered every session.

If my application were dealing with financial information then I would not even consider a "remember me" option, but the application behind the remote OAuth server is more on the level of sensitivity of Twitter or Flickr.

My questions are:

  • Is my proposed access token management and OAuth handling scheme sound and secure enough for the application I am describing?
  • Are there better methods? If so what?
  • Any other thoughts or comments you might have on OAuth and mobile phones?

** UPDATE - found these very helpful thread in the related questions list after this post was published:

OAuth secrets in mobile apps

Can I avoid baking my Twitter API consumer secret into my iPhone app binary?

** UPDATE 2 - If you switch from a Sessions OAuth store to a database store like MySQL, remember to register the server for the given consumer key and user ID or you will get an error when you call requestRequestToken. This web page concerning the ELance API has a nice example (Look for the section titled "Step 2: Get Request Token" and look for the snippet with the updateServer call):

http://www.elance.com/p/api/examples/oauth/php

You'll have to adapt the example for your own remote OAuth server needs.

-- roschler

Community
  • 1
  • 1
Robert Oschler
  • 14,153
  • 18
  • 94
  • 227

1 Answers1

2

I have some experience working with Yandex (No. 1 Russian search engine) OAuth servers. This is how they do it..

OAurh server accessed only by HTTPS. Thus, token is transferred by the network in encrypted manner. As it is HTTPS - client can check servers validity via certificates checking.

Also, they recommend to store received access token in encrypted way. As for me, i have my own storage implementation, which stores access token in 3DES-encrypted way in SharedPreferences. Key to 3DES encryption is a users selected "PIN-code". Each time application starts it is requesting a PIN and then trying to decrypt token.

You can look at my library implementing access to one of the Yandex serices (using OAuth to grant access).

Olegas
  • 10,349
  • 8
  • 51
  • 72
  • Olegas, are you validating the PIN and then decrypting the access token on the Android phone or passing the encrypted access token and PIN to the server for decrypting and validation? Thanks. – Robert Oschler Apr 19 '11 at 11:55
  • I'm trying to decrypt token on client side, if it is successful, i'm transmitting token to server with my request via HTTPS – Olegas Apr 19 '11 at 14:56