Android Question simple app-server authentication using a custom HTTP header?

[Dave O]

Has anyone tried using custom HTTP headers (e.g. X-App-ID) to authenticate the client app to the server?

Long version:
I'm running a cloudKVS setup where the B4J server (a VPS with SSL) has the central key-value store, and the users use a B4A app that syncs with the server.

I'd like to make sure that the server only accepts requests from my B4A app. So this seems like an authentication question. (I already have logic that checks that certain users (identified by email address) have permission for certain requests.)

Before I consider formal authentication (e.g. FirebaseAuth), I'm wondering if there are simpler solutions where the client app convinces the server that it's a legit sender, not some hacker's script.

I read a bit about the Google Play Integrity API, but didn't find any ways to use it in a B4A app.

I'm wondering if adding a custom HTTP header to the KVS Post calls would mostly solve this:

job.GetRequest.SetHeader("X-App-ID", "insertCleverPasswordHere")

The server would then check the header value against its own stored password. If they don't match, it ignores the request.

That would also mean securing the password at both ends, but there are ways to do that.

Does this sound reasonable for achieving decent server security? Or should I stop trying easy shortcuts and just learn FirebaseAuth already?

 

[Erel]

There is nothing special with the http headers. A hacker can sniff all network communication quite easily. Unless the password is user specific then it will not make a big difference security-wise.

 

[Dave O]

With SSL, I assumed the comms are secure so sniffing isn't possible (or at least is very hard). Is that incorrect?

The other thing I came across was mutual authentication using certificates (mTLS). That's how I originally thought SSL worked (both sides had to authenticate to the other using certificates). Is that something anyone here has implemented for a client-server setup?

 

[Erel]

Is that incorrect?

Yes. SSL prevents others from sniffing your communication. It doesn't prevent a hacker from sniffing his own traffic. It is done by installing a custom root level certificate.
Example: https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

The other thing I came across was mutual authentication using certificates (mTLS). That's how I originally thought SSL worked (both sides had to authenticate to the other using certificates). Is that something anyone here has implemented for a client-server setup?

It will not provide more security than sending the password in any other way. You will still need to put the certificate somewhere in your app and it can be extracted from your app.

 

[sirjo66]

There are many ways to protect your app communication, depending what is the request level.
For example, if you don't want to send password through communication, you can (this is only an example):
1) client start communication and send to server a generic "login request" command with "username" parameter
2) server generate a random string (for example "lfvnofjjfii2930rfj90kJHh") and save "username" and random string.
Now it sends the random string to client.
3) client append his password to random string (for example "lfvnofjjfii2930rfj90kJHhMyBeautifulPassword") and calculate SDA-256 (or any other secure hash algorithm). The result ("b19d30ca767b352d737d774cc05c37a3e70447760fb5721a45508dd159d3ec0c") and the username is now send to server
4) server now execute the same calculation and it controls that the result of the hash algorithm is the same. If yes, login it

This is an example for server that have a database with username and password, but if you have only one password for all users you don't need to send username to server