I don't have any personal website or url to specify in my app for privacy policy. Is there any alternate for me to specify the same?
Not really, maybe you can create a blogger page or something but you do need an webpage to define your privacy policy.
Tim Heuer has a good article on using Azure Websites to create a free marketing website with a privacy policy. Check it out at Using Azure Web Sites to market your Windows App.
The blog post Common Windows Store certification errors: 4.1 Your app must comply with privacy requirements discusses the privacy policy requirement. It gives tips on how to turn off the Internet capability if you're not using network functionality so you won't need a privacy policy, what to include in the privacy policy, some free sites where you can create a blog to host your privacy policy (WordPress or Blogger), and where you need to provide the privacy policy in your app.
Related
Requesting guidance on how to get the OAuth Client Id whitelisted, so that Oauth works in Embedded browsers.
My Client id is : 665249451488-84nosliqrc80hpe0ot1vperj1eb8gbfk.apps.googleusercontent.com
Any email address / contact details for whitelisting will be helpful.
Similar question : Ios captive portal Google oauth disallowed agent - angular app
'disallowed_useragent' error on captive portal
Thanks in advance
Google OAuth does not work on embedded browsers because this is known to be insecure. See https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html and https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html. On iOS, you should use safariviewcontroller instead of relying on embedded web views.
As explained on the other question, if the issue your users are running into is a captive portal, this is the recommended way to continue to use Google Sign In: https://support.google.com/accounts/answer/9690282?hl=en.
I've been given the task of implementing a user Sign In / Sign Up flow in a react native app. There is nothing too fancy about this app in particular. The usual Sign In, Sign Up (with SMS Verification) and Password Reset screens suffice. So I went looking for identity providers. Auth0 and AWS Cognito were the most suitable finds. Auth0 was considered too expensive by my managers so we discarded it. Which left me with the Cognito option.
According to the docs, it is possible to completely replace the default UI (which is something that pleases the UI/UX team) but still using the underlying infrastructure. One thing that concerns our team very much is security. According to this and this, authorization requests should only be made through external agents (mobile user browsers). So I went digging into the aws-amplify's source code and found that ultimately what it does (and correct me if I'm wrong here, please) is just a simple API request to the AWS auth endpoints passing my ClientId and other attributes.
This got me a little worried about the security of the interactions with AWS. As AWS endpoints are secure, I know a mitm attack is discarded.
But what keeps an attacker of decompiling my mobile app, getting access to the ClientId and making direct requests to AWS? Is AWS Amplify's really that insecure or am I missing something here?
There are many attacks that are possible but at a high level 3 stand out
Credential compromise
Social engineering
DoS
Credential compromise
Your account credentials should not be exposed, STS credentials are time limited and need you to specifically grant permissions to the pool to access aws services
https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
you need to give a least privilege, follow approach outlined here
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
Social engineering attack
I guess exposed ClientId from a decompiled source could be used but would need to be combined with other user data so as a general rule lock down everything that links to your account that could be combined with the Client Id in a social attack
Dos
AWS provides what it calls "Advanced Security" in pools
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
this should be required when building Cognito Apps its comprehensive
Security threats constantly evolve, AWS do a good job, there are security advantages in using
Cloudfront
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/security.html
CloudTrail
https://aws.amazon.com/cloudtrail/
Google Drive API question,
I am writing an application that can view a users' Google Drive files and folders from their google account (can be individual or part of an enterprise).
So on my Google Drive enterprise, I have created an API application. So I have an API key and Secret key stored in my application.
Now I want to use OAuth to authenticate the user so that they can approve my application to read their files. The users will not be part of my enterprise. They can be individual Google accounts, or they can be a single user from an some other enterprise account.
Is this possible? Or are there technical/security reasons this is not allowed?
I just got off the phone with wonderful Google api support agent, and I have my answer:
Yes this is possible to do. however due to the recent phishing attack, Google has put in place new security features that affect the following APIs:
Google drive
Gmail
Contacts
Directory Admin SDK
Here are the new rules:
There is a new security form we will need to fill out and be approved before we will be able to be approved as a trusted app that is able to access these api's using OAuth2 authentication.
Google has provided a feature that many enterprises use that allows an enterprise to completely disable the ability to access these api's using oauth2. So even though we have been approved from step1, we may still get an error for some enterprises who have directly blocked this; however, they can white list us in order to allow it from our enterprise if admin's prefer, while still blocking general use for others.
See links:
https://support.google.com/a/answer/7281227
https://developers.google.com/drive/v3/web/about-auth
https://developers.google.com/identity/protocols/OAuth2
https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/
I have the free developer edition. I want to provision users to my web site using SCIM. The docs say look under "dashboard/agents". I have no agents tab under dashboards.
https://support.okta.com/articles/Knowledge_Article/46749316-On-Premises-Provisioning-Deployment-Guide?id=kA0F0000000AY3C&q=scim&l=en_US&fs=Search&pn=1#code
Also for behind a firewall the document says download the "On-Prem Provisioning Agent". I have not been able to find that under "setting/downloads" or anywhere else. Where do I find that?
You will need to contact Okta Support or your Okta Sales contact to enable the On-Premises Provisioning feature.
I want to host the privacy policy created for my windows 8 metro application over the internet. Any way in which i can host HTML file containing such the information for free?
Tim Heuer has an article on using Azure Websites to create a free marketing website for your app which could include a privacy policy, it's available at Using Azure Web Sites to market your Windows App.