Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing communication from android to a web service

I'm a relative newbie to web and mobile development and especially to security so obvious answers are still appreciated.

I want my android app to be able to log in to a simple web service with a username and password.

What's the best way to send this information securely and keep the user logged in for an entire session?

like image 375
Jim Avatar asked Feb 23 '10 19:02

Jim


1 Answers

Do you control the web service? If not then you will need to use whatever authentication mechanism the web service provides.

If you're writing the web service yourself, you have a lot of options.

The simplest is to just send the user's username and password via SSL with every request as a HTTP Authorization: header. The downside here is that you need to keep the username and password stored on the device. That being said, because of the way Android's permission system works, there's very little risk of an attacker stealing credentials off of the device, provided the user hasn't enabled root access.

If you still want to avoid storing the password in plain text, you can send the username/password once (again, using SSL), have the server return an encrypted authorization token, then send that token in place of the user's username/password. See Google's ClientLogin for an example of this. An attacker could still steal the token if they have physical access to the device, but at least the attacker can't use that to gain access to any other sites that use the same password.

There's other options out there as well, like using challenge/response to prevent the server from ever seeing the user's password, using OAuth to provide a common authorization API, and so on. It all depends on what your particular requirements are.

like image 154
Trevor Johns Avatar answered Nov 15 '22 22:11

Trevor Johns