All Questions
Tagged with android authentication
58 questions
0
votes
1
answer
133
views
How to securely use service account credentials in an Android App
I have an Android application distributed to my users through an .apk file. That app collects some data, and my goal is to upload that data to a cloud service, like BigQuery. To achieve this, I am ...
- 1
0
votes
1
answer
200
views
How does Android/Firefox authenticate the Android Pocket app, for example?
I installed the Android Pocket app and logged in. My default browser is Firefox, which is already logged in to my Firefox account. This meant I did not have to enter my Firefox account password. ...
- 1,033
0
votes
0
answers
218
views
SRP authentication in an Android app over REST
I'm currently trying to come up with an authentication process for an Android app, that talks with web backend using REST. At the moment the communication is secured by TLS (with cert pinning) and ...
- 1
1
vote
1
answer
2k
views
What are the security best practices to implement offline login of android apps?
My client has an android application requirement. The users of the application are workers who might have to work at places where internet connectivity is unavailable. So an offline login feature is ...
- 1,472
1
vote
1
answer
312
views
Multiple SMS activation codes received by error
For several days now I am receiving activation codes by SMS that look like this:
Your ToYou verification code is 8058
Some are from ToYou, that seems to be a delivery service, others are from similar ...
- 111
17
votes
2
answers
5k
views
Does biometric authentication in Android transfer any biometric data to the app?
On my Android phone I use several apps that propose biometric authentication. If I enable it, can these applications read my fingerprint data and transfer it to the third party servers?
- 687
2
votes
1
answer
235
views
how to protect smartphone data against theft?
i assume typical android has fully encrypted disk with a key stored in a header. header is encrypted using pin / pattern / fingerprint or not encrypted when there is no lock. is that correct?
when ...
- 299
1
vote
0
answers
158
views
How to ensure your own native app is talking to your own API [duplicate]
I'm developing an API and different apps to access to it, each with different scopes, including a native mobile app, and I'm wondering what would be a good strategy to authenticate my own native app ...
- 131
1
vote
0
answers
149
views
What does jarsigner verify in the first place (integrity or authenticity)?
I was reading sth about android code signing and have run into this statement:
The second jarsigner command at v in Listing 3-7 first verifies the
signature block and signing certificate, ...
- 491
64
votes
6
answers
11k
views
Is 2FA via mobile phone still a good idea when phones are the most exposed device?
Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages sent to your mobile phone. This creates two concerns:
I travel frequently ...
1
vote
0
answers
163
views
Is there any advantage in using Google's IAM on Android?
We are building a few corporate apps for field workers / front office. In most cases each user will have their own device, but there are some shared devices (for example reception). The devices are ...
- 103
6
votes
2
answers
2k
views
Authenticate user based on mobile device identifier
I have a hypothetical mobile game where players don't necessarily need to create accounts to play. Their data is keyed off of a device identifier like an advertising identifier (IDFA) or Apple's ...
- 249
1
vote
1
answer
559
views
How reliable is using Fingerprint sensor (iPhone/Android) for identity approval?
What I'm trying to achieve is a confirmation of transaction (not payment) with a fingerprint sensor. Pretty much like Google does in its Play store:
Chose a product, click pay
Approve your choice ...
- 111
-3
votes
1
answer
417
views
secure public facing wallet API accessed by mobile devices
I am implementing a public mobile wallet application where user can add his own card, like Android Pay, or Samsung Pay on Android device.
The standard way how these applications are initially working ...
- 1,129
1
vote
1
answer
404
views
Logging someone else's google account on my Andoid device
Earlier today I had to add someones's Google account to my Android phone, to help them with something. My phone is a Samsung Galaxy S7 with the latest Android version, not sure if this is important. ...
- 13
1
vote
2
answers
244
views
How to verify if SSH Client is not recording my login information?
there are lots of SSH Clients one can use with Android, for example JuiceSSH client, so i have a security concern, that is, how can i know or verify, that this app is not recording my credentials to ...
- 83
4
votes
1
answer
222
views
Google App Script as public gateway for database (spreadsheet)
I've created a google app script that takes a POST request and writes to a google spreadsheet. In parallel, I've also made an Android app that sends HTTP requests to this google app script.
I did it ...
- 141
2
votes
1
answer
547
views
How to secure refresh token API's?
I have two API's used in auth:
api/auth/newtoken: Successfully validates user (i.e. username and password check in DB) and return token (expirers in 3 days) and refreshToken.
api/auth/updatetoken: ...
1
vote
3
answers
2k
views
Restrict mobile phones to specific Access Point (WIFI Router)
Is it possible to restrict the access of android phones, iphone, and MS phones and tablets to a specific AP?
I want the corporate mobile device to only be able connect to one specific AP (the ...
11
votes
1
answer
5k
views
Storing Auth token on Android device
My server is sending me access and a refresh token while logging in. Should I store them in the shared preferences of android by encrypting it? I want to know the best practice for storing these ...
- 211
5
votes
2
answers
3k
views
App-based 2FA versus Hardware-based 2FA
How do apps like Symantec VIP / Okta Verify and similar implementations compare to using a hardware auth token such as the recent U2F devices?
How real is the possibility of an Android system being ...
- 53
11
votes
4
answers
4k
views
How secure is the use of fingerprints (like Apple's TouchID) for authentication in banking apps? [closed]
We are working on the development of a banking app and for customers. We need to implement TouchID in Apple's iOS and a fingerprint check in Android.
Firstly, what are the possible security risks ...
- 211
1
vote
0
answers
117
views
Can malicious app read private variable from my App?
I have a local object "Login" (with a password and id) in my activity and I would like to know if I launch a fragment and use a setter to initialized the fragment, is it secured ? Can a malicious app ...
- 111
0
votes
1
answer
147
views
How effective would a heartbeat sensor be at stopping spam?
Making an android app (for fun) that communicates with a server I am trying to come up with out of the box security ideas, one of them would be to use a heartbeat sensor instead of a captcha for ...
- 180
3
votes
2
answers
323
views
A password substitute?
Currently, I have a website that logs users in, and then keeps track of ther session using PHPs $_SESSION. I'm trying to transfer this to an android app, which means I can't use sessions to keep track ...
- 143
2
votes
1
answer
209
views
Software updates APIs authentication
We need to improve a system that delivers software updates (firmware/software files) to a Bluetooth device through a "companion" application installed on customers smartphones (ios/android).
The ...
- 121
0
votes
2
answers
295
views
Best and secure way to do a authentication protocol between Restfull webservice and Android client
Im developing a system which a android client send and receive data from a mysql database (connected to a java restfull webservice).
To do the authentication method, i dont want to send id&pass ...
- 134
2
votes
1
answer
1k
views
Bruteforce App login forms on Android
I was wondering if there is any way (app or something) to bruteforce app login forms on Android?
- 23
4
votes
1
answer
465
views
How does choosing where a password is stored affect non-repudiation? (or private key storage)
Password managers, and numerous tools have been created to store end-user secrets over the years. This proliferation has resulted in a hazy mix of opportunities to improve security.
In short, I ...
- 51.1k
2
votes
0
answers
97
views
How does google send and receive android app signature securely for "sign-in-with-google-account" option?
For developing an android app that lets people sign in with their google account, we have to submit app package name and developer signature to google. Every time that someone tries to log in to my ...
- 181
0
votes
1
answer
223
views
Authorizing an Android app to carry out operations on backend server
The users of my Android application can pay (using Paypal or in-app billing) to light a LED on a remote location. The LEDs are controlled, at each of the locations, by Internet-connected Arduinos.
...
- 3
0
votes
2
answers
398
views
Smartphone 2FA has been broken?
This research states that two factor authentication has been broken by the possibility to remotely install an app on a device. I believe that an attacker can publish an app in the store that is ...
- 103
1
vote
1
answer
1k
views
How to secure android REST basic authentication credentials against reverse engineering?
As far as I know, in basic REST API authentication, username and password to access web service resources are baked into the app's code.
On the other hand, it seems not difficult to reverse engineer ...
- 145
8
votes
1
answer
2k
views
Why does Android care about differentiating multiple fingerprints?
I was reading through the Android Compatibility Definition document after a friend pointed me there while we were discussing fingerprint scanners and other biometric authentications. I noticed this ...
- 458
7
votes
2
answers
879
views
Is installation id secure enough to authenticate device's user against a Web Service API?
...or interactively asking for password / or having some certificate is inevitable?
Context
My Android app wants to do secure transactions via my Web Service API. However I do not want to bother my ...
- 230
-2
votes
1
answer
1k
views
Whats the most secure way to send user data from client to server? [closed]
I know there are probably many existing answers to this question but so far I couldn't find a simple detailed answer.
On the android app there is two buttons, sign in with facebook and sign in with ...
- 105
2
votes
0
answers
542
views
Security token in android and embedded system
I have an embedded board with a very limited processing and memory resource. I would like to control the board using an android app.
The users are categorized into 3 groups:
owner of the board.
...
- 121
1
vote
2
answers
525
views
Questions about user authentication over REST API
I'm now trying to implement user authentication on my android app. I, however, have a few questions.
I use a REST API. How do I safely request and send data to and from the phone? I'm assuming that I ...
- 11
1
vote
1
answer
4k
views
Is it possible to secure an Android Intent from other calls from apps?
I'm looking at the architecture of Android and want to come up with a service that allows for multiple applications (3rd party) to call a local android service and fetch data. Think of this as a ...
- 51.1k
5
votes
1
answer
1k
views
OAuth2 how does it work (Android client)
I have read a lot about Oauth2 but still cannot understand, how does it work. I will explain how do I understand this protocol.
There are some main characters in Oauth protocol interaction.
User, ...
- 51
2
votes
1
answer
1k
views
Authentication, authorization in native mobile clients (Android)
I am developing native mobile client for store that requires user authentication in order to make purchases available.
I have my web store page, authentication is provided by CMS (OpenCart).
Now I ...
- 175
3
votes
2
answers
1k
views
token based authentication attacks
JSON Web Token seems to be a very good tool to authenticate users. But I wonder if an attacker can take the token used by another user and use it for his own attacks.
And to be more precise what makes ...
- 73
0
votes
1
answer
336
views
Security tradeoffs while designing a mobile Web Service API
I'm not a security expert but I want to ask about tradeoffs in a web service API I'm designing for mobile apps.
It is an API which tracks users' locations so yes, the data is reasonably sensitive. ...
- 101
1
vote
2
answers
2k
views
Secure android and server calls
I plan on adding an authentication system on my android app using web services.
When my app calls the server using a POST call how can i secure the client can't find the URL and try to do his own ...
- 111
1
vote
2
answers
6k
views
How to call webservice securely in Android
Hello I am working on an Android application in which I'm required to execute a few https web service calls. All my web-service URLs and Web API KEYs are in the code plus the IP address of the server. ...
- 111
2
votes
2
answers
738
views
Preventing Illegal Access to Webservice
Let me start off by saying that I read other StackExchange questions related to this and they weren't really able to answer my question. I have a feeling this may be an unsolvable problem, but I'm ...
- 23
0
votes
1
answer
153
views
How much security would I lose if I enabled "easy enter" pins on an android device?
There is an option on android devices to unlock when the correct pin/password is entered, but without the user explicitly pressing the "done" or "enter" button. How much security does this remove from ...
- 2,061
6
votes
2
answers
6k
views
Security concept for Android app with PHP based REST API
I'm trying to build my own PHP based REST Api for my Android app and I'm a litte bit confused by all the different user authentication stuff one can find on the internet. So I want to present my ...
- 203
1
vote
1
answer
225
views
Mobile authentication
I'm currently working on an Android app in which I want to authenticate someone against an REST API. I want to do this as secure as is (cost-)effective/possible/user friendly.
I've been looking around ...
- 111
4
votes
1
answer
581
views
What are industry-standard recommended practices to protect user information in an Android app?
I am developing an Android app that will potentially handle sensitive user data, and some of it may be even considered medical data (for example user height, weight, alergies, etc).
What would be the ...
- 203