android - Mobile APP - API Authentication concept -


i have conceptual question , wanted know if kind enough help.

i use simple example explain point of view.

i have developed simple restful api node.js + express + mongodb backend. api saves hightscores android game app. use token-based authentication, tokens generated secret , trusted username/password (hardcoded or not).

but still have doubt thinking safety...

reverse engineering piece of cake since developer can find backend endpoint of api , use username , password (or hardcoded one) obtain token.

then token ca used insert fake highscores via api.

my questions are:

  • is there way avoid security hole?
  • is using restfull api correct way connect mobile app backend in server?
  • if not, correct way develop app-server comunication save data in backend db?.

i think can ofuscate code includes hardcoded username , password dont solve situation.

pd: users question broad. made 3 concrete questions , topic avoid visibility of app information connect api. know there answers, dont want solution, way investigate.

there no full-proof way this. in theory, can debugged - including verification mechanism (token generation).

using web api way have mobile app communicate backend , works fine in cases. however, case, want make sure api used via android app have. typically done encrypting communication protocol , making hard others debug it. so, app encrypt communication in way, hard decrypt if don't know internals of app/server. however, hard scratch.

if want ready-made solution, use google's play game services, highscores, achievements, etc. should secure enough, can't implications current situation.


-

Comments

Post a Comment

Popular posts from this blog

python - How to insert QWidgets in the middle of a Layout? -

Image
i'm using qt framework build graphical user interface. use qgridlayout position qwidgets neatly. gui looks this: my application regularly adds new widgets gui @ runtime. these new widgets not added @ end of qlayout, somewhere in middle. the procedure bit cumbersome. applied on figure above, need take out widg_c , widg_d , ... qgridlayout. next, add widg_x and widg_y , , put other widgets again. how remove widgets qgridlayout: for in reversed(range(mygridlayout.count())): self.itemat(i).widget().setparent(none) ### as long you're dealing small amount of widgets, procedure not disaster. in application display lot of small widgets - perhaps 50 or more! application freezes second while procedure ongoing, annoying user. there way insert widgets somewhere in qlayout, without need take out other widgets? edit: apparently solution qvboxlayout simple. use function insertwidget(..) instead of addwidget(..) . docs can found link: http://doc.qt.io/qt-5/qboxlayou
Read more

python - serve multiple gunicorn django instances under nginx ubuntu -

i need serve 2 webs apps (django) on gunicorn under different domain names using nginx on ubuntu. started using tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-16-04 it worked fine 1 using that. tried same thing second gives me 502 gateway second domain. tried following tutorial: http://michal.karzynski.pl/blog/2013/10/29/serving-multiple-django-applications-with-nginx-gunicorn-supervisor/ i'm @ part run gunicorn start script: sudo bin/gunicorn_start i response: starting webuildblack root traceback (most recent call last): file "/home/devin/webuildblack/bin/gunicorn", line 7, in <module> gunicorn.app.wsgiapp import run importerror: no module named 'gunicorn.app'; 'gunicorn' not package you have named program gunicorn.py gunicorn -package. rename file , remove gunicorn.pyc file.
Read more

module - Prestashop displayPaymentReturn hook url -

i new prestashop developer , trying create paymentmodule. have got show payment method can not proceed purchase because not know hot works. does know should redirect run hooddisplaypaymentreturn method? i happy if explain me complete navigation map make purchase. anyway, can find relation between hooks , pages? when have new module payment rely on simplest provided prestashop: bankwire. inside can find 3 hooks. hookpayment: public function hookpayment($params) { if (!$this->active) return; if (!$this->checkcurrency($params['cart'])) return; $this->smarty->assign(array( 'this_path' => $this->_path, 'this_path_bw' => $this->_path, 'this_path_ssl' => tools::getshopdomainssl(true, true).__ps_base_uri__.'modules/'.$this->name.'/' )); return $this->display(__file__, 'payment.tpl'); } hookdisplaypaymenteu: public fun
Read more