Android Question How to Authenticate only Android user to visit web site

[cenyu]

Hello, i have a task to create web site with MSSQL database and ASP.NET C# MVC but this site MUST be accessable only from users with my B4A app and not accessable from web browsers and other phones with different IMEI...
I can use HttpJob like this code to receive data or entire web page and send username password and Phone IMEI

    Public appUrl1 As String = appServer & "/page1/__USERNAME__/__PASSWORD__/_PHONEIMEI__"

    Dim job3 As HttpJob
    job3.Initialize("JobLogin", Me)
    job3.Download(appUrl1)

OR

Dim Web as WebView
Web.LoadURL(appUrl1 )

But my biggest concern is: IF USER WRITE THIS URL DIRECTLY TO BROWSER IT WILL ACCESS SITE.
User MUST load site ONLY from WebView into my B4A app
How to protect site? Any answer will be useful for me!

 

[mcqueccu]

I think you should check the user-agent of the browser and disallow the ones not coming from Android

 

[cenyu]

Is this possible? And what will happen if user enter URL to his browser on android phone?
I think site will check user-agent of the browser and will allow access

I can use WebView for B4A but user-agent of the browser will be equal to Google Browser on Android

 

[cenyu]

I found this MSSQL-JDBC Minimalistic Example but is this sequre....And is it possible for user to find out password and username for SQL database?
Is there a sniffer or something for Android that is able to track down password and user name
And my task is little different: I have to read web page...

 

[cenyu]

I figured out... C# MVC code according mcqueccu

You can use the Request.Browser.IsMobileDevice property.

but still if user enter Url from his android browser he can load site...
I have to disable this...User MUST load site ONLY from WebView into my B4A app

 

[Sandman]

this site MUST be accessable only from users with my B4A app and not accessable from web browsers and other phones with different IMEI

Not possible. Any web request can be faked.

 

[JohnC]

but this site MUST be accessable only from users with my B4A app and not accessable from web browsers and other phones with different IMEI..

Since you want the webpage to ONLY be viewed in your B4A app, then it's simple to prevent that webpage from being viewed by a browser:

1) Add a webview to your app to display the webpage.
2) Use webviewsettings to add a special passcode to the useragent of the webview:

Dim UA As String
UA = wvs.getUserAgentString(wv) & "/passcode"
wvs.setUserAgentString(wv,UA)

3) Have your secret webpage check that the passcode is in the user-agent of the requestor so the webpage will know the page is being viewed from your app and not in a normal browser.
4) Make sure the URL to your secret page uses an HTTPS connection so other apps can't snoop to see the passcode.

 

[cenyu]

Yes my site is https

Then i try this to read https page:

    Dim URL    As String
    Dim webview1             As WebView
    Dim WebViewExtras1         As WebViewExtras
    webview1.Initialize("webview1")
    Activity.AddView (webview1,0,0,100%x,100%y)
    URL="https://192.168.0.200"
    WebViewExtras1.addWebChromeClient(webview1, "WebViewExtras1")
    webview1.LoadUrl(URL)

BUT EMPTY PAGE IS RESULT!!!
What i doing wrong?
I try and "your app has a unique Package Name "


Erel say that You can disable the SSL tests with this Code Byt still empty page is result

 

[JohnC]

The URL you are trying to navigate to is a local IP (192.168.0.200) - so it looks like you are trying to navigate to a local server.

But you are also trying to use HTTPS which requires a SSL certificate to be installed in your local server. So the connection is probably failing because your local server is not setup with SSL. (setting up SSL is a whole discussion by itself)

So for now, try just using HTTP to get things working, then when you setup a live webserver, you can setup the SSL for it.

And remember to add this line to your manifest so your app can make HTTP connections:

SetApplicationAttribute(android:usesCleartextTraffic, "true")

 

[cenyu]

Sorry for dublicates but this question is very important for me.
Yes this is local server but there is ssl cert.
When i type https url on my pc browser i get result
When i try B4A url without https i result Page not found and when i try https - blank page ....no errors

 

[Biswajit]

In my apps, I use AES encryption with HMAC and App Signature verification. After receiving the request the server (PHP) checks if the payload is valid or not. If valid then it processes the request. So anyone having your API key or URL cannot browse the page from any other app or from any browser.

 

[JohnC]

Can you open chrome on this same android device and can connect to "https://192.168.0.200"?

If not, then make sure your device is connected to the same wifi network as your local pc and that your firewall will allow incoming connections.

 

[cenyu]

Yes i can open "https://192.168.0.200" from my android device browser and i recieve result...
But when trying from B4A app with WebView ....blank page

Something interesting: When i use webview1.LoadHtml(https://192.168.0.200) i receive page contain only text "https://192.168.0.200"

 

[JohnC]

At this point, you will need to do basic troubleshooting.

1) Eliminate any possible problems with the webpage by creating a very simply HTML page with no scripting and just "Hello World".
2) Eliminate any possible SSL problem by adding that line to the manifest so you can make HTTP connections, and then use http://192.168.0.200 instead of HTTPS and see if webview can display the simple html page properly.

After doing the above changes, make sure those changes were done properly by first using chrome on the device to view the simple page using HTTP (not https), then try webview.

 

[Biswajit]

Yes i can open "https://192.168.0.200" from my android device browser and i recieve result...
But when trying from B4A app with WebView ....blank page

Something interesting: When i use webview1.LoadHtml(https://192.168.0.200) i receive page contain only text "https://192.168.0.200"

If your website frontend is built with angular or react then check the console message from the DefaultWebChomeClient's ConsoleMessage event.

 

[cenyu]

It is not built with angular or react...
And my webview can display the simple html page properly.

I have no more ideas May be problem is that i use self signed certificate on entire IIS

 

[JohnC]

I have no more ideas May be problem is that i use self signed certificate on entire IIS

That's exactly why I listed two things to do to troubleshoot this issue - so we can eliminate a possible SSL problem, or eliminate a possible webpage problem due to scripting.

Did you try my two troubleshooting changes?

 

[cenyu]

Yes i try...
1) Eliminate any possible problems with the webpage by creating a very simply HTML page with no scripting and just "Hello World".
Very simple page work
2) Eliminate any possible SSL problem by adding that line to the manifest so you can make HTTP connections
I add your line to manifest and try http - work
https - not work
There is no SSL problems


I think WebView1.LoadUrl("https://192.168.0.200") not work...I have to disable SSL checking...
Erel say that "You can disable the SSL tests" with code below:

Sub AppStart (Form1 As Form, Args() As String)
   MainForm = Form1
   MainForm.SetFormStyle("UNIFIED")
   MainForm.RootPane.LoadLayout("1") 'Load the layout file.
   MainForm.Show
   Dim jo As JavaObject = Me
   jo.RunMethod("disableSSLTest", Null)
   WebView1.Loadurl("https://www.siam-net.de")
End Sub

#if JAVA
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public static void disableSSLTest() {

     TrustManager[] trustAllCerts = new TrustManager[] {
         new X509TrustManager() {  
           public java.security.cert.X509Certificate[] getAcceptedIssuers() {
             return null;
           }
           public void checkClientTrusted(
               java.security.cert.X509Certificate[] certs, String authType) {
           }
           public void checkServerTrusted(
               java.security.cert.X509Certificate[] certs, String authType) {
           }
         }
     };

     // Install the all-trusting trust manager
     try {
       SSLContext sc = SSLContext.getInstance("SSL");
       sc.init(null, trustAllCerts, new java.security.SecureRandom());
       HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
     } catch (GeneralSecurityException e) {
     }
     // Now you can access an https URL without having the certificate in the truststore
     try {
       URL url = new URL("https://hostname/index.html");
     } catch (MalformedURLException e) {
     }
   }
#end if

Byt still empty page is result

 

[JohnC]

I add your line to manifest and try http - work
https - not work
There is no SSL problems

If you are saying that when you add the line to the manifest and then try connecting using HTTP and it WORKS, but then trying SSL and it DOESN'T work, then that CLEARLY means it is an SSL problem.

It probably has something to do with the type of SSL certificate you have installed on you local server.

Try moving the webpage to a live internet server that has as a real domain SSL certificate and I bet you it will work.

 

[cenyu]

Ok JohnC! Thanks for your help....I will try a real domain SSL certificate ...
Best regards!