Android Question Job post data security

nibbo

Active Member
Licensed User
Hi, just a quickie...

Is it secure to pass account id's and passwords etc... in the job post data?
I.e Job.PostString("LogIn", "User=Bill&Password=Ben") ?

Could this be intercepted in any way by someone other than the app user?

Thanks
 

lemonisdead

Well-Known Member
Licensed User
Could this be intercepted in any way by someone other than the app user?
Hello,

If you don't use any encryption (for example SSL) your data will travel in clear over the internet. So, there is a chance someone can intercept them.
Depending on your equipment, you can use a SSL or encrypt the request and decrypt it when received.
 

nibbo

Active Member
Licensed User
Thanks for the reply.
I am enforcing SSL on the IIS server so I assume means that the post data is automatically encrypted before it is sent...?
 

lemonisdead

Well-Known Member
Licensed User
It should be done automatically if the URL or port are set to be used with the SSL. The only limitation is with some old smartphones and new certificates. But they are really old devices
 

nibbo

Active Member
Licensed User
Hi lemonisdead, I thought this was the case but wanted to make sure.
Many thanks for confirming this for me.
 

wonder

Expert
Licensed User
Job.PostString("LogIn", "User=Bill&Password=Ben") ?
Thanks
No matter how secure your software, hardware, database or connection is, you should NEVER store a user's password in its original form. NEVER.
A password should always be encrypted, preferably with a salted hash algorithm.

Using the SHA-1 hash algorithm as an example, the string "Ben" becomes "41126fc03289a05d86219d28b38e5e365ff0359f" and this is what should be stored on your database.

To verify a correct login, simply use:
B4X:
'PSEUDO-CODE

input_username = INPUT "Enter your username: "
input_password = INPUT "Enter your passoword: "

GET FROM DATABASE password WHERE user = input_username

IF SHA-1(input_password) =  password THEN ACCESS_GRANTED
The SHA-1 algorithm is used here only as a simplified example and it should not be used on it's own, since it's not considered secure anymore.

If necessary, I can explain you in detail what is a "salt" and what needs to be done to secure a password. Just let me know. :)
 
Last edited:

nibbo

Active Member
Licensed User
No matter how secure your software, hardware, database or connection is, you should NEVER store a user's password in its original form. NEVER.
A password should always be encrypted, preferably with a salted hash algorithm.

Using the SHA-1 hash algorithm as an example, the string "Ben" becomes "41126fc03289a05d86219d28b38e5e365ff0359f" and this is what should be stored on your database.

To verify a correct login, simply use:
B4X:
'PSEUDO-CODE

input_username = INPUT "Enter your username: "
input_password = INPUT "Enter your passoword: "

GET FROM DATABASE password WHERE user = input_username

IF SHA-1(input_password) =  password THEN ACCESS_GRANTED
The SHA-1 algorithm is used here only as a simplified example and it should not be used on it's own, since it's not considered secure anymore.

If necessary, I can explain you in detail what is a "salt" and what needs to be done to secure a password. Just let me know. :)
Thanks wonder,
The validation is actually done by a hosted web-service which uses the active directory to check the user's access.
That being the case presumably I just need to encrypt it in the post data.
Cheers for the advice.
 
Top