Android: Some questions about security and user authentication (register, login) through HTTP

StackOverflow https://stackoverflow.com/questions/13865296

Question

I just can't get my head straight about this one. I'm currently building a rather large-scale application on Android. I've run in to a couple of problems regarding security and authentication though...

The Scenario:

I have an application that's making calls through HTTP (will implement SSL later) to a server running PHP and MySQL. Of course i want to use the existing user-database, so migration to another DB is not a solution.. I've managed to create the "register users via Android to the server"-functionality. I've also made a working login, BUT this is where the problems start.

As users in the Android application I'am working on adds, edits, deletes and sync stuff on the server via/to the application, things get rather complicated. A little too complicated for me it seems :)

Problems:

  1. As I get the result from my server-side login and pass it from the server to Android via JSON, the connection dies and server-side I 'aint logged-on (sessions dies) whereas on the phone I'am. How can I make the log-on persistent both on the server and in Android without the need to log-on again? So that subsequent calls from Android to the server is made with the same user, still authenticated. I.e. I want sort of a one-time login ('till I logout) like in the Spotify-app (and many others).

  2. If I've understood things right, implementing SSL correct makes it possible to send passwords in clear text to the server without the need to hash them first. Is this correct?

I just can't stop thinking about the fact that a MIM-attack would compromise any unique id I send from Android to the server. My first thought was to have the UID on the Android device as a "key" to the server after a successful log-on. But if that key gets in the wrong hands, the user associated with that UID will be compromised. I've looked at the AccountManager on Android but it seems rather over-kill in my case.

If someone could supply examples or at least guidelines, I'd be much grateful!

Thanks in advace!

ADDED SOLUTION DIAGRAM AFTER EDIT

Image describing the mechanism of the authentication

Notice that this diagram shows the first start of the application. Later startups will NOT show the Login / Register form, but use the DUT instead.

// Alexander

Was it helpful?

Solution

Issue some form of a short-lived authentication token to Android apps. They would need to pass it in every request, and you will check it your Web app. Breaking the connection doesn't end the session, if it does, you have bug in your Web app: fix it. In Android, as long as you are using the same HttpClient instance, it will continue to use the same session, nothing special is needed.

Whatever you do, do not put off implementing SSL, do it now.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top