I am well aware of the security implications of this, so much so that I'm betting it doesn't exist, so before you call me crazy, that's why I'm asking.
I got really tired of having only my phone on me and installing a new app/whatever and finding myself needing to suddenly create a new application-specific password on the fly, and having to navigate Google's decidedly non-mobile-friendly security page to do that. I want to create an app of some kind that allows me to generate an application-specific password, whether by text or an Android app itself or something else. As I see it, there are two options here:
Use some Google Account Security API (if it exists) to create the application-specific password
Do scraping-type behavior (with proper credentials, of course) to automate its creation. I really don't want to do this.
Does anyone know (a) if this type of API exists, or (b) if there are any other ways to go about doing this? This app would be published on Github for self-hosting, obviously.
There is no official API to generate application-specific passwords.
I've solved this myself by doing a couple of things:
1) printing out the QR Code for the account that can be scanned by the Authenticator app in order to generate codes. I keep it secured in my desk. This allows me to reformat my phone without needing to turn two-step off each time.
2) use the browser sign-in for my Android device. When adding a Google account to an Android phone, just before the screen where you enter your username and password, click the menu button (or 3 dots on the screen if you have no menu button) and choose Browser sign-in. This allows you to login to an Android device with your username, real password and verification code rather than an application specific password.
This saves me from needing to generate application-specific passwords 95% of the time.
Jay
Related
I have some projects in my portfolio that require user sign up/sign in using auth0 jwt's. However, I heard that this could discourage a recruiter from looking at my projects since its just another barrier to viewing my projects, so a dev recommended a url that automatically signs in the user into a demo profile by clicking on it. Is it possible to do this?
I tried doing the simple https://username:password#url.com but no luck. I also saw that it is bad practice to pass information through the url, is this the same case with passing a jwt through the url?
Apologies for the general nature of this question. Hoping this doesn't get shot down as "too broad", but oh well, here goes:
I'm writing a React Native app that is purely informational (medical information), with a Rails API for the back-end.
The first main question I have is whether its necessary (or a good idea) to use authentication at all. We don't want the user to have to enter any information to use it (username, password, etc). They should just be able to download the app and jump right in to use it and read the information it provides.
However, I'm thinking that I would at least want the API to only respond to someone hitting it from within the React Native app (or not? Is it considered a normal practice to have an API completely exposed in the case of an app like this which is purely information and doesn't have users, like a website?)
Second - at some point we may want to be able to store some simple preferences for that user (I.E., are they a patient or a doctor, so we can tailor the materials based on that / send them to a different home screen when the open the app). Wondering what strategy someone might use to store simple preferences if the user doesn't ever create an account?
I would at least want the API to only respond to someone hitting it
from within the React Native app.
This probably can't be done, as in a mobile app everyone has access to your client secret and can try to reverse engineer your code.
You could make it more difficult by sending a dynamically generated token to your API on the request, for example, a hash based on a time frame, and check if the hash was sent the correct way. Then, you'd have to obfuscate the code in order to make it difficult for someone to reverse engineer it.
Second - at some point we may want to be able to store some simple
preferences for that user (I.E., are they a patient or a doctor, so we
can tailor the materials based on that / send them to a different home
screen when the open the app). Wondering what strategy someone might
use to store simple preferences if the user doesn't ever create an
account?
If you use a Parse Server instance as your backend, you could benefit from the anonymous user functionality. As you're using a Rails API, you could generate a uuid for each installation of the app and save the preferences on your database based on that uuid. If you don't need those preferences stored on your backend, just store any information you need on the device through any abstraction of AsyncStorage.
I really do not need authentication when it comes down to it - there are no users.
I could verify that the data is coming from my app based on a user agent or a hard coded password. SSL should help keep those secret.
But yeah, there would be nothing preventing someone from disassembling the app and getting that information. Great idea by #felipe-martim about generating a dynamic token.
I really just want to prevent basic abuse, and I could deal with that if it ever happened, or protect myself with something like Rack-attack.
And storing user preferences locally should work just fine for local preferences.
Bottom line is that I'll deal with this if I ever need to / the client budget allows for it!
Does anyone have experience using Selenium to automate testing of a webapp that uses Facebook Connect for user login? Any tips or methods that you recommend?
Depends what you want to do?
Will you be using a real-real Facebook User (which is phone verified by Facebook)?
Safest and most reliable ,but very difficult (impossible) to gather "real" users (phone verified by FB).
In terms of defining aspects of the user/connections details, like education history, work history, name, age etc(specially if you do not have access to all the "real" facebook accounts).
Fake facebook users created for testing the app (not verified by Fb)?
Probably the easiest to setup, as all are fake users, no Phone verification(with FB) required.
But email ids for all users would need to be created.
Even though the connection info can be tailored to your liking. One of the main drawbacks(and it has happened to me), is if Fb detects the user is not legit, FB would freeze all accounts. Which would make all your Fb user specific automated tests all useless in the blink of an eye. And there is not much you can do(Unless you plan to get a brand new phone connection to verify those accounts, no google number, no skype, no ip based phones allowed. FB is very strict with that). Also one number can authorize only 1 account.
Will you be using the Facebook APIs to create Fb test users?
Probably the ideal way (according to FB)to use Facebook connect to test your app. click here for documentation on how to use it.
It may seem straight forward, but it has its downfalls(major ones). Very un-relaible, the API returns an error 10-20% of the time, and extremly slow the other times. No way to retrieve the password of a FB test user if misplaced once. Connection info cannot be easily customized. A fair amount of effort required to set it up something without being sure it work each time.
I have personally opted for the second option. Facebook detects the legitimacy of the user (I guess) based on parallel logins across multiple ips. I have selenium RCs running across various servers, which run these tests in parallel, which could have possibly raised a red flag. So i just schedule these scripts in a more organized manner, so as to avoid login overlaps.
I hope in this long explanation you find your answer. :)
For the perl implementation -
$sel->start();
$sel->open_ok("$URL");
$sel->set_speed("500");
$sel->click_ok("//img[\#alt='Facebook']",'User clicks on Facebook Login');
$sel->wait_for_pop_up_ok("", "30000",'Facebook Login Popup Loading');
$sel->select_pop_up("null");
$sel->type_ok("email", "email\#email.com",'User enters Facebook credentials - Username');
$sel->type_ok("pass", "password",'User enters Facebook credentials - Password');
$sel->key_press("pass", "\\13",'User returns Facebook Login credentials');
$sel->select_window("null");
Is there an API that we can use that displays the usual username field, password field, and remember checkbox? This dialog can be usually seen when connecting to a server via Finder or when Safari requests for proxy information.
I am currently implementing this via CFUserNotification API to save myself from creating a window, etc. but I have to specify the fields and checkbox and retrieve them. What would really save time is an API that will abstract developers from having to worry about it. Does such API exist?
I don't think so. Actually I don't have an idea why apple should deploy an api for such a small task.
That's only a NSSecureTextField and a NSTextField. There are plenty of classes that help you add a password properly to the keychain.
I want to make an application witch involves logging into google. It is basically a small application to always have your gmail with you without always having to go to the web browser and log in. Basically what I want to do is, when the person signs into their google account (or the page url changes) I want the webbrowser to refresh and go to a new point in the form and create an animation using a timer. I dont need help with the animation, I just need to know how to link it together with the person signing into google. And also, If it's possible I would like to have the person log in without the actual google web interface, but with 2 textboxes and a button. I am using Visual Studio 2008 and help with my application would be greatly appreciated!
One of the great things about GMail is that it gives you Pop3 access to the mailbox. Your application should be able to use Pop3 to login to the mailbox directly and not require the user to use the google web page (or any web page) at all.
This would be much more secure and fault tolerant than highjacking a browser session or scraping a web page for emails (as your application would break as soon as google updated the gmail app or the user changed their preferences).
You should be able to find numerous Pop3 tutorials, libraries and samples on the net (and most probably here on SO).
If you still insist to use the web browser control, you should investigate crafting your own HTTP-Post query to the page that takes the GMail login. Once you craft the correct message (including the user's username and password as the appropriate POST variables) you should be able to login directly.
Finally, you might want to have a look around on code.google.com as I'm certain this has been done before and you will most likely be able to find some sample code (whichever way you go).
Good Luck!