0

I am creating an Android application to interact with a webservice. Is it fine if I transmit the server side api credentials as plaintext that is used to authenticate a webservice?

The application has a search functionality and it uses username and password to generate an authentication token.

POST /HTTP/1/1
Accept: application/json
client_id:
client_secret:
Content-Type: application/json
Content-Length: 53
Host:
Connection: close
User-Agent: okhttp/3.7.0

{"Username":"XXXXXXXXXXXXXX", "password": "XXXXXXXXX" }
Mohammed Farhan
  • 331
  • 2
  • 11
  • 3
    Possible duplicate of [Is encryption of passwords needed for an HTTPS website?](https://security.stackexchange.com/questions/133453/is-encryption-of-passwords-needed-for-an-https-website), [For an HTTPS web application, is it worthwhile to encrypt the password before POSTing it, to keep a MITM attacker from harversting it?](https://security.stackexchange.com/questions/66475/for-an-https-web-application-is-it-worthwhile-to-encrypt-the-password-before-po/66476). – Steffen Ullrich Nov 23 '17 at 13:04
  • I have checked the question, here the scenario is different. User is not entering the credentials. it is like sending a request for database connection – Mohammed Farhan Nov 23 '17 at 14:21
  • It is not relevant if the password was entered by the user or is coded inside the application. It only matters that the password is sent inside a TLS connection which protects it. – Steffen Ullrich Nov 23 '17 at 15:10

1 Answers1

2

Once you have established a connection over SSL/TLS, you can send secrets over that channel - that's the point of SSL/TLS.

However....

It looks like you are using OAuth, with the "Resource Owner Password Credentials" flow. If you do this, there are a few things to consider.

There are several flows, and this particular flow expects the highest amount of trust from the end user. If possible, you should consider one of the other three flows.

It's better not ask the user to send their password to your own server, or to ask the user to enter their credentials in a screen belonging to your app.

The web service you use should provide a login screen to use for OAuth authorization. You should redirect the user to that login screen, and let the web service handle the login process. It should then provide you with the token needed to complete authorization.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
  • Considering the fact that user is using a search feature and search-api requires authentication from the application-side not the user side. Is it okay to send as plain text. – Mohammed Farhan Nov 23 '17 at 14:28
  • @MohammedFarhan Technically, once you sent them over SSL/TLS, you're not sending them as plaintext. SSL/TLS encrypts them for you. So you can send the credentials that the user gave you. But, if you have the time, check if you can use the Authorization Code grant instead of Resource Owner Password Credentials grant. – S.L. Barth Nov 23 '17 at 14:32
  • An attacker can intercept using a proxy application to get the credentials thus allowing him to reuse the api. – Mohammed Farhan Nov 23 '17 at 14:37
  • @MohammedFarhan That is a Man-In-The-Middle (MITM) attack. SSL/TLS protects against this using certificates. This attack _is_ possible, but requires the end user to install the attacker's certificate. – S.L. Barth Nov 23 '17 at 14:40