Android Question Job post data security

Discussion in 'Android Questions' started by nibbo, Apr 17, 2015.

  1. nibbo

    nibbo Active Member Licensed User

    Hi, just a quickie...

    Is it secure to pass account id's and passwords etc... in the job post data?
    I.e Job.PostString("LogIn", "User=Bill&Password=Ben") ?

    Could this be intercepted in any way by someone other than the app user?

    Thanks
     
  2. lemonisdead

    lemonisdead Well-Known Member Licensed User

    Hello,

    If you don't use any encryption (for example SSL) your data will travel in clear over the internet. So, there is a chance someone can intercept them.
    Depending on your equipment, you can use a SSL or encrypt the request and decrypt it when received.
     
  3. nibbo

    nibbo Active Member Licensed User

    Thanks for the reply.
    I am enforcing SSL on the IIS server so I assume means that the post data is automatically encrypted before it is sent...?
     
  4. lemonisdead

    lemonisdead Well-Known Member Licensed User

    It should be done automatically if the URL or port are set to be used with the SSL. The only limitation is with some old smartphones and new certificates. But they are really old devices
     
  5. nibbo

    nibbo Active Member Licensed User

    Hi lemonisdead, I thought this was the case but wanted to make sure.
    Many thanks for confirming this for me.
     
  6. wonder

    wonder Expert Licensed User

    No matter how secure your software, hardware, database or connection is, you should NEVER store a user's password in its original form. NEVER.
    A password should always be encrypted, preferably with a salted hash algorithm.

    Using the SHA-1 hash algorithm as an example, the string "Ben" becomes "41126fc03289a05d86219d28b38e5e365ff0359f" and this is what should be stored on your database.

    To verify a correct login, simply use:
    Code:
    'PSEUDO-CODE

    input_username = INPUT 
    "Enter your username: "
    input_password = INPUT 
    "Enter your passoword: "

    GET FROM DATABASE password WHERE user = input_username

    IF SHA-1(input_password) =  password THEN ACCESS_GRANTED
    The SHA-1 algorithm is used here only as a simplified example and it should not be used on it's own, since it's not considered secure anymore.

    If necessary, I can explain you in detail what is a "salt" and what needs to be done to secure a password. Just let me know. :)
     
    Last edited: Apr 17, 2015
    nibbo and cimperia like this.
  7. nibbo

    nibbo Active Member Licensed User

    Thanks wonder,
    The validation is actually done by a hosted web-service which uses the active directory to check the user's access.
    That being the case presumably I just need to encrypt it in the post data.
    Cheers for the advice.
     
    wonder likes this.
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice