Hi RU.SO, there is a server that Rest.API with Basic auth . There is a client-side application on Android, in which user-password is hard-coded and transmitted when asked. The problem is that the user can disassemble the application and get all the request-urls and data for authorization. You can create an authorization through a token, but again, the user will be able to get for example this token through postman and then compromise the data, the crux of the matter, how do you implement security?
GVArt GVArt
1.516 6 silver marks 14 bronze marks
- 2Through the login password for each user, any hardcoded passwords are a hole. - Vartlok
- @Vartlok is what I’m talking about, which is not an option of how it works now. There is an API - which returns all the data from Table X, and it should be released so that it would be possible only through the Android device. The fact that this will be done from under a different user does not solve the problem because having the data for authorization (even if they are unique for each user), you can use any other REST-Client where you can see the responses from the server, on the Android device, everything works in backend - GVArt
- Are you sure that someone needs your data so badly to bother so much and that your solution will be cheaper than a potential loss? - Mikhail Rebrov
- Do I understand you correctly, that you do not want to give your data to the client in any other way except through your client? - Mikhail Rebrov
- from disassembling and faking requests you will not save anything. taking into account the fact that requests will be falsified by users who already have access to the data. For everything else, there is OAUTH2 - Mikhail Rebrov
|