Searching for a safe way to do authentication from a mobile app

I've inherited a mobile app which sends auth credentials (userid/password) in the clear.

I'd imagine that I have 2 choices: a) use TLS. b) write my own auth protocol.

If I choose (b) what are the key guidelines that I must follow to make it it secure. e.g. how to avoid replay attacks, encryption strategies.

Asked by: Maddie229 | Posted: 28-01-2022

Answer 1

If you use b), the key guidelines are: Don't. If you want it secure, that is.

Try to stick with a).

Answered by: Edward327 | Posted: 01-03-2022

Answer 2

Writing your own security protocol is not necessary, and a bad idea. It will almost definitely have exploitable flaws. If all you need is to protect the confidentiality of the login credentials, then SSL/TLS is what you should use. It also allows you to more easily upgrade to client certificate-based authentication in the future.

Answered by: Walter506 | Posted: 01-03-2022

Answer 3

For (b) I guess you do a challenge-response thingy.

Server generates a random string, sends it to the client. Client appends it to the password and hashes the whole thing, sends the hash back to the server. Server does the same calculation, compares the result with what it got from the client. If they match then the client sent the correct password.

The most obvious vulnerability is that if someone snoops both sides of the exchange, they can then run an offline dictionary attack against the password.

Answered by: Fiona313 | Posted: 01-03-2022

Answer 4

For both "you can't get sued for it" and "reasonably protected" definitions of 'safe', for a mobile application, you can assume that the line is secure vs man-in-the-middle attacks and wide open to eavesdropping. SSL/TLS sounds the easiest way to go, but this might depend on your carrier and target phones.

If you can't make TLS work and you need to roll your own, use Diffie-Hellman key exchange and established crypto library (Legion of the Bouncy Castle have a jightweight implementation that is J2ME compliant.)

Answered by: Anna726 | Posted: 01-03-2022

Similar questions

Searching for a pre-proxy that supports PAC scripts and basic authentication written in JAVA

I'm searching for a proxy server that I can start/stop within Java Code and (in best case) is written in Java. The proxy server must have support for PAC (Proxy-Auto-Config) scripts and should be able to inject username/password to request header for basic authentication. This proxy server should serve as a pre-proxy. Other programs can then use this proxy instead of the PAC script. I found

java - How does the SQL Server JDBC Trusted Connection Authentication work?

How does the SQL Server JDBC Trusted Connection Authentication work? (ie how does the trusted connection authenticate the logged in AD user in such a transparent and elegant fashion and how can I implement a similar authentication solution for my client-server applications in Java without a database connection or any use of the existing SQL Server solution.) Assumptions * Working within a Windows 2003 domain * You ...

Secure Java SOAP web service - Active Directory authentication Trust

I want to build a secure web-service betweeen a Java producer and a Java consumer. I want to authenticate using Active Directory using the domain accounts that the producer and consumer are running under. Could you give me an example of this? (ie: AD trusted automated alternative to manual keystores.)

java - JAX-WS authentication against a database

I'm implementing a JAX-WS webservice that will be consumed by external Java and PHP clients. The clients have to authenticate with a username and password stored in a database per client. What authentication mechanism is best to use to make sure that misc clients can use it?

authentication - Authenticating against Active Directory with Java on Linux

I have a simple task of authenticating against Active Directory using Java. Just verifying credentials and nothing else. Let's say my domain is "", OU path is unknown, and username/password is testu/testp. I know there's a few Java libraries out there that simplify this task, but I wasn't successful at implementing them. Most examples that I've found addressed LDAP in general, not specifically Active Di...

security - Java EE Authentication Error Handling

We are currently trying to implement a web application which is using the Java EE authentication mechanism with a FORM-based login, inside the Websphere 6.1 web container. If the authentication is successful, we have everything working; the LDAP membership groups are being retrieved, the group to role mapping is being performed, and the roles are being returned to and correctly interpreted by the web application. ...

authentication - How to throttle login attemps in Java webapp?

I want to implement an efficient mechanism to throttle login attemps in my Java web application, to prevent brute-force attacks on user accounts. Jeff explained the why, but not the how. Simon Willison showed an implementation in Python for Djang...

java - Specify authentication in container rather than web.xml

We distribute our web-application to our customers as a .war file. That way, the user can just deploy the war to their container and they're good to go. The problem is that some of our customers would like authentication, and use the username as a parameter to certain operations within the application. I know how to configure this using web.xml, but that would mean we either have to tell our customers ...

java - ACEGI Authentication available in tomcat 404 error handler

I'm using spring and acegi in a webapp that's deployed in tomcat 5.5.26. I want to see if the user is logged in on the 404 page, so that we can show their name if they're logged in, and a login link otherwise. I have the HttpSessionContextIntegrationFilter, in the filters on the REQUEST dispatcher. I also have it in the ERROR dispatcher. The code path appears that the request goes into my app, throu...

authentication - How to authenticate against native OS in Java and without using JNI?

My Java RCP application prompts the user for username and password upon start-up. How could I use these credentials to do authentication against the native OS without using JNI to port some C libraries? Thanks! PS. If possible, pure Java implementation without using third-party libraries will be very much preferable.

smartcard - Common Access Card (CAC) Authentication Using Java

I'm bascially looking for someplace to start learning how to interface with a government CAC card using java. Ultimately, my goal is to find out how to use CAC card authentication (by PIN number) to authorize access to a website hosted using a Tomcat/J2EE server. But I'll need somewhere to start. So I figure I'd start by writing a small java program to simply read the CAC card information f...

Still can't find your answer? Check out these amazing Java communities for help...

Java Reddit Community | Java Help Reddit Community | Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)