On Fri, Dec 7, 2012 at 5:45 AM, sampath premarathna
<sampathpremarat...@gmail.com> wrote:
> But in your solution anyone in the middle can get that token also,so he can
> intercept and change the request no?
You would run your application over VPN or SSL/TLS. The token is large
and random (96-bits or 128-bits), so it can't be effectively guessed.
I've also seen static tokens (tokens that are easy to predict or don't
change over protocol runs). For example, something clever like
device's UUID. Those apps get kicked too because the attacker can
guess the token, and we should not be tracking users based on UUIDs.
Jeff
> On Monday, November 5, 2012 11:52:17 PM UTC+5:30, Jeffrey Walton wrote:
>>
>> On Fri, Nov 2, 2012 at 12:06 AM, Rajiv Yadav <rajivy...@gmail.com> wrote:
>> > Hi i am developing an application which uses restful services. (near
>> > about
>> > 30 restful methods some are using "get" and some of are "post")
>> > It is working fine but in each call throughout the application i need to
>> > send some secure data (like username, password in some encrypted form).
>> >
>> > my question is is there any secure way for this? please suggest
>> Yes. You login into the application once with a {username, password}
>> pair. You never use the {username, password} again in a request (until
>> the server expires the session). If the server expires the session,
>> then you have to log in again. In return for a successful log in, you
>> get a token to use on future requests. This is coarse grained
>> entitlements (can you use the application?).
>>
>> When a request arrives at the server for services, the request
>> includes the token. The server provides the mapping between
>> token->user. This is fine grained entitlements (can the user access
>> the resource?).
>>
>> If I see a web app cross my desk that uses {username, password} in
>> each request, then I boot the application immediately. Just giving you
>> fair warning here since I'm not the only guy who will deny such an
>> application.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to android-security-discuss@googlegroups.com.
To unsubscribe from this group, send email to
android-security-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
