Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Provide secure Facebook authentication with my Server

Tags:

android

ios

facebook

rsa

digital-signature

I would like to build a little mobile App (Android and iOS) and a little backend server with a REST Api.

My app users (android or iOS) needs to login on facebook. I do that by using facebooks mobile sdk. When the login has been successful, facebook sdk will return a authentificationToken, that is now on the users smartphone.

The idea is as follows: Whenever my app needs some data, the app will conntact to my server backend (REST) over HTTPS. For example: The app makes a simple HTTP GET and passes the retrieved Facebook authenticationToken. My Server gets this facebook authenticationToken and use this token to determine, if the user is a authenticated and to retrieve facebook profile information (firstname, lastname etc.). So the server contacts facebook too and generate the personalized response for the HTTP GET Request.

My questions are:

  1. Is it really enough to pass this facebookAuthentication token for each REST API call, to make the server retrieve the correct associated facebook user?
  2. I use HTTPS, so I guess, the connection is encrypted enough, right?
  3. I guess I need some signature mechanism so sign each REST API call (over HTTPS) to ensure that the facebookAuthentication token has been sent only from my mobile App. I would do that by using RSA with SHA-1 to sign any REST API call. But the problem with this approach is: that the client need to stores the private key somewhere in the App (for signing requests) and the server knows the public key (for signature matching). Is this correct? If yes, I guess its a big security issue, since a mobile app (especially android) could be decompiled to get the private key. How do I store this private key securely in my app? Is there another system for signing that you can recommend?

Bt: Do you know a good RSA lib for iOS and Android?

like image 856
sockeqwe Avatar asked Jan 22 '13 10:01

sockeqwe

People also ask

How do I add authentication to my website on Facebook?

#3: Set Up Facebook Login for Your Website At this point, you'll see Facebook Login among your website app options. Click the Set Up button to get started. Next, you'll fill in the information about how and where you'll use the app. You can add the Facebook Login feature on any app across multiple devices.

How do I set up OAuth on Facebook?

In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.

1 Answers

1) Yes. It's enough. If your client (mobile app) has a token, it proves that a user authenticated to Facebook. So, you authenticated a user this way. However, it's not enough to authenticate a mobile app (about this, I will talk in #3).

2) Yes. It's encrypted both ways.

3) That's tough one. It's called remote attestation. There are A LOT of problems with this.

Before you go into this direction, you need to ask yourself two questions

  • Who are you protecting against?

  • How much am I willing to invest?

If you are protecting yourself against a student with very limited knowledge, who may write another mobile app which will use your server then you are fine with a signature.

If you are protecting against just a little bit more sophisticated software engineer (who can reverse engineer your application) - it won't be enough. This engineer can extract a private key from your application and use it to sign requests in his application.

You can read about remote attestation here and here.

Solutions which can protect you from simple reverse engineering are quite complex.

P.S. Regarding RSA library.

Look at this for Android:

Asymmetric Crypto on Android

And this for iOS

RSA Encryption using public key

like image 81
Victor Ronin Avatar answered Oct 10 '22 02:10

Victor Ronin
Sign in to Comment

Related questions

GradientDrawable in Code
android fastScroll only covers part of the list
PictureListener is deprecated and obsolete, is there a replacement?
How to override drawables defined in an Android Library Project?
How automatic fragment restore works
Camera preview stretched even after setting the correct dimensions
Android EditText alternative
NestedScrollView and WebView height issue
Android - Facebook share content gets overwritten
Clickable CardView inside NestedScroll doesn't trigger scrolling
Android : Databinding, notifyPropertyChanged() not working?
Android - DataBinding with Preference activity
How to unregister phone from firebase cloud messaging
How do I refresh the Android emulator network connection after the host switches network?
Firebase does not sync offline cache if the app is killed
Purpose of Android/Firebase Debug signing certificate SHA-1
Can't find RecyclerView visible item position inside NestedScrollView
How to tell if an Android app is actually leaking memory?
Does the Android operating system have files like /etc/passwd, /etc/shadow, and /etc/group?
GPUimage port for android

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!