-
Welcome to B4X forum!
B4X is a set of simple and powerful cross platform RAD tools:
- B4A (free) - Android development
- B4J (free) - Desktop and Server development
- B4i - iOS development
- B4R (free) - Arduino, ESP8266 and ESP32 development
Other User identification and then?
- Thread starter LucaMs
- Start date
- Similar Threads Similar Threads
Any app can be changed/hacked at the point where you check if the user is authorized (f.e. by changing a some values).
If your app runs without needing external data: No Chance
If your app is based on sending/receiving data you can control it via an external Server (php/MySQL -> Login -> data from known users only)
If your app runs without needing external data: No Chance
If your app is based on sending/receiving data you can control it via an external Server (php/MySQL -> Login -> data from known users only)
Upvote
0
Yes, it is a B4J web server - B4A client.
But, currently, the app receives permission from the server, after sending username and password and since then the data sent by the client are authorized.
If the hacker discovers the place where the authorization is received, he has solved.
However, thinking about it, the place at which the app receives the authorization is a routine called by the server, then it is triggered by an event, so maybe it is less detectable.
However, if someone has an optimal solution ...
But, currently, the app receives permission from the server, after sending username and password and since then the data sent by the client are authorized.
If the hacker discovers the place where the authorization is received, he has solved.
However, thinking about it, the place at which the app receives the authorization is a routine called by the server, then it is triggered by an event, so maybe it is less detectable.
However, if someone has an optimal solution ...
Upvote
0
I read it but I don't know how it can do for me.
I have a "non UI" B4J server, which manages the client-server communication via a websocket handler class.
Those filters, if I understand correctly, limit access to certain folders.
Upvote
0
Hello,
If I understand you correctly : you want to authenticate and after that be sure the exchanges are provided by authenticated devices only.
They are several ways to achieve that :
- a token or cookie set when the device was authenticated
- a "special" key shared between the device and the server and added to parameters
- a crypted object instead of parameters encoded with a temporary key
- you can even store a comibation of IP, ID on the server and check the conformity before executing any command.
I don't know what you are wanting to create so my personal advice (not a general recommendation) is to ask you not to be shy and let your genius mind imagine your own solution . We have all the tools in b4x to create a dedicated identification process.
And you could do" belt and strap" in a SSL secured environment.
If I understand you correctly : you want to authenticate and after that be sure the exchanges are provided by authenticated devices only.
They are several ways to achieve that :
- a token or cookie set when the device was authenticated
- a "special" key shared between the device and the server and added to parameters
- a crypted object instead of parameters encoded with a temporary key
- you can even store a comibation of IP, ID on the server and check the conformity before executing any command.
I don't know what you are wanting to create so my personal advice (not a general recommendation) is to ask you not to be shy and let your genius mind imagine your own solution . We have all the tools in b4x to create a dedicated identification process.
And you could do" belt and strap" in a SSL secured environment.
Upvote
0
Ehi, you are "talking" with me. I'm sure you have the wrong person
What I mean, "exactly", is:
an user tries to connect using a nick name of another user and a wrong (of course) password.
///
Well, trying to explain better, I have found the solution.
I would have continued writing:
The server sends an answer, like: "Authorized" or "not authorized" (or a single byte, it's the same).
If a hacker could find this place, he could modify the next code, which should be something like:
If ServerMsg = "Authorized" Then...
but if I use two different routines: Sub Authorized and Sub NotAuthorized (obfuscated) he could not act in that way.
Uhm... Well, he could authenticate regularly, find out the location of the routine and then use a different nick and...!
Thank you, Lemon
Last edited:
Upvote
0
Ehi, you are "talking" with me. I'm sure you have the wrong person
What I mean, "exactly", is:
an user tries to connect using a nick name of another user and a wrong (of course) password.
///
Well, trying to explain better, I have found the solution.
I would have continued writing:
The server sends an answer, like: "Authorized" or "not authorized" (or a single byte, it's the same).
If a hacker could find this place, he could modify the next code, which should be something like:
If ServerMsg = "Authorized" Then...
but if I use two different routines: Sub Authorized and Sub NotAuthorized (obfuscated) he could not act in that way.
Uhm... Well, he could authenticate regularly, find out the location of the routine and then use a different nick and...!
Thank you, Lemon
Upvote
0
Luca,
That scenario can only exist if you don't store (on the server) a way to identify the authenticated devices.
Let's admit that the code is used to "unlock" a trial app. If you check regularly if the device is allowed to run the app (let's say based on a time schedule), you would be able to lock the app again and again.
And if it is used to exchange informations between the devices and the server, check if the device is authorized each time you have to do something on the server (opening a socket, maintaining a list of opened socket, etc).
That scenario can only exist if you don't store (on the server) a way to identify the authenticated devices.
Let's admit that the code is used to "unlock" a trial app. If you check regularly if the device is allowed to run the app (let's say based on a time schedule), you would be able to lock the app again and again.
And if it is used to exchange informations between the devices and the server, check if the device is authorized each time you have to do something on the server (opening a socket, maintaining a list of opened socket, etc).
Upvote
0
[text ready; now I read the post above ]
Perhaps I have found a better way.
The hacker knows the name of the user as these is a game player of my app; if I require the user of the app:
UserName (not visible)
PlayerName (visible)
PW
he may not try to impersonate someone else.
]Perhaps I have found a better way.
The hacker knows the name of the user as these is a game player of my app; if I require the user of the app:
UserName (not visible)
PlayerName (visible)
PW
he may not try to impersonate someone else.
Last edited:
Upvote
0
Yes, but use a device ID is a limitation, in my case, also because the app will be free with advertising.
Thank you
Upvote
0
Yep. Let the user do a Login login (at least one time and store a file with a generated string like a Serial number on the device). At every start send it to the server with the username and compare it with the data stored in a db. Every n-th time update it. Easy.
I use at least a length of 50 Bytes. Renew it once a week or so.
Even if someone hacks it, he needs to have a valid Keyfile. If he copies it from another device, it's not valid AND he doesn't know the email adress (username) of the registered user. Even if he uses his own (pay once, copy it) you can check the ip address (more than one at a time will not work).
I use at least a length of 50 Bytes. Renew it once a week or so.
Even if someone hacks it, he needs to have a valid Keyfile. If he copies it from another device, it's not valid AND he doesn't know the email adress (username) of the registered user. Even if he uses his own (pay once, copy it) you can check the ip address (more than one at a time will not work).
Upvote
0
I don't need to protect the app (copy it, I will earn more
), just the user identity (you cannot play using my nick name).Thank you (Klaus?
)
Upvote
0
Similar Threads
- Solved
- Solved
Android Question
Detect if another user is running my app remotely
