android - Authenticating mobile device -


i'm developing client-server application, client applications run on mobile devices (android, ios) , communicate server via http protocol. mobile applications available free @ market , multiple users using same application instance on same device.

i need authenticate each request server , i need authenticate device, not user , practically in possession of device.

i've worked arround solution:

after installing application:

let's presume done on secure network:

  1. an administrator (not regular user) runs application on given device , uses app's authentication form once (filling login , password).
  2. server authenticates administrator , sends secret device key , "public" device id specific device.
  3. server stores device key , device id.
  4. device stores device key in secure storage , device id wherever.

now device has own "credentials".

with each client request:

  1. client requests request key. request contains device id.
  2. server genenerates request key, stores along device id , sends client.
  3. client sends request data device id , hash of (the data + request key + device key) , signs request.
  4. server checks hash. server invalidates request key.

my questions:

  1. presuming secure storage exists: how secure approach be?

  2. is there secure storage nobody (but application) can read in ios , android? provide links study (especially android). depend on rooting device?

some notes:

i believe request key, client needs prove knowledge of secret device key (without request key hacker send again intercepted data). since device key sent on secure network, can not intercepted , since stored in secure storage can not stolen device.

however expect there no 100% secure storage (minimally on android) , if device rooted secret device key can stolen. storing encrypted makes harder hacker - need decompile client application , find how decrypt it.

edit: little change in suggested approach (there security gap), added notes , other minor details.

http://developer.android.com/reference/android/accounts/accountmanager.html think know this. keytool , self signed certificates? didn't much.


Comments

Post a Comment

Popular posts from this blog

c++ - CryptStringToBinary API behavior -

i seeing strange behavior cryptstringtobinary cryptography api. please see below code (config: x64 debug): #include "stdafx.h" #include <windows.h> #include <strsafe.h> #include <iostream> #include <exception> void main() { dword dwskip; dword dwflags; dword dwdatalen; //lpcwstr pszinput = l"jaaaaaecaaadzgaaakqaagdnnl1l56bwgfjdgr3rpxtqqqn6daw3usv2emkjym4t"; //this works fine lpcwstr pszinput = l"mytest"; //doesnt work, api returns false,error code 0x0000000d // determine size of byte array , allocate memory. if(! cryptstringtobinary( pszinput, _tcslen( pszinput ) + 1, crypt_string_base64, null, &dwdatalen, &dwskip, &dwflags ) ) { dword dw = getlasterror(); //0x0000000d: data invalid throw std::exception( "error computing byte length." ); } byte *pbytebyte = null; try { ...
Read more

c++ - Correct method for redrawing a layered window -

i have window created ws_ex_layered window style. drawing onto memory bitmap using gdi+, , using updatelayeredwindow update graphical content of layered window. intend use window main window of application, require redraw frequently. seeing layered windows not receive wm_paint windows message [?] , need come appropriate method re-drawing window. optimisation not essential , it's nice have cake , eat too. therefore, in search of "correct" method use. here thoughts far: i guess it's idea render onto off-screen bitmap before bitblt ing or similar. 60 frames rendered per second should (more than?) enough (but how compare other applications' frame rates?). possible solutions: use settimer send wm_timer message on regular basis. useful because through specifying time-out value, can achieve desired frames per second, without requirement measure duration "frame" takes rendered. would cause input or other lags due frequency , speed of m...
Read more

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more