I am planning pin making an ftp client, however how in my code in objective-c for my mac application can I keep my username and password safe? They will be in the code, so how can they be kept safe?
Whats an alternative solution? My app will automatically without the user having to enter any credentials allow them to download form my ftp server.
Any help much appreciated, thanks.
You can use the Keychain to keep such things safe. You can read about it here...
About keychain stuff
You'll also find a fair few keychain topics on this site.
Related
I have a Dropbox account.
I would like to use it, so that an android app can upload photos to my Dropbox account, without the user of the app having to know my credentials to log in.
Is that possible ?
Is there a programmatic way, that I can get my app to do this, without the user of the app having to know my dropbox password ?
EDIT: I don't understand why this is down voted. If there are multiple posts asking how to do this, by different users, and it is with regard to finding a programmatic why to log in, then it is relevant and shouldn't be down voted.
Refer to this thread on dropbox forums which says that they did not include the file requests feature in their apis so its not possible through apis.
Since the native api does not support this feature you can redirect your user from your app to dropbox app to create file requests.
I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.
So my question is how does authentication for Netflix work if it doesn't have to locally store your password?
Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.
Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.
Lets use facebook as an example: (response to comment below)
https://www.facebook.com/settings?tab=applications
This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.
This doesn't technically answer the question, but is related and, I think, helpful:
You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.
(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)
I'm working on an application which should import all e-mails from a user's e-mail-account and store them in its own database for further use. The collection of all the e-mails should be done in a background job (via Delayed Job or similar).
To achieve this I'll need to store the user's email-password somewhere in my application. As this is going to be an internal application trusting my app won't be the problem.
I am looking for a best practice on how and where to store these e-mail passwords as securely as it gets.
Encrypting the e-mail password with the user's login password to my app is not an option, because I have to run the job in the background.
Any advice on this? Thanks in advance.
Env: Rails 3.2 with MongoDB
I solved it by using the attr_encrypted Gem. Be sure to use the encoding: true option when using MongoId.
As the key for the encryption I use my application's secret token. I think that's secure enough for my purpose.
Thanks to this answer: https://stackoverflow.com/a/6686132/1437361
I am making a mobile application where users can connect their twitter accounts to the app. I am just kinda curious what's the best way to do it.
Right now, I would love to be able to make my own custom page (without having to use a UIWebView).
Is this possible? If how, so?
Thanks.
As I understand, you don't want the user to be redirected to Twitter's OAuth authorization web page. You can use xAuth instead, but you have to send Twitter an email why you want this, and they won't allow xAuth for your app until it is in a very late development state (when your app is almost complete). You can find the manual for xAuth in the Twitter development documentation.
Basically, what xAuth does is it allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. This way, you can provide the user with custom fields (e.g. UITextField objects) to fill their username and password in. Just make sure you don't save them anywhere, only the access token. Good luck. :)
A quick web search reveals MGTwitterEngine
GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.
As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.
So. Is it possible to still authenticate when special measures are needed? And how?
I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.
Try:
http://www.google.com/accounts/DisplayUnlockCaptcha
Or for Google Apps for your domain:
https://www.google.com/a/yourdomain.com/UnlockCaptcha
I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.
Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.
Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!
IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.
I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?