11

I developed an android application that request to a REST service for do actions!

My questions are:

  1. If anyone trace the requests and responses, Can he get the token from headers?
  2. Where should I store token in android client?
  3. If I store token in somewhere like SharedPreferences and user access that He can send fake request to server! For example I have controller for submitting score like this : "http://domain.com/api/score/add" and user can make a request with token in header and post a number for score and easily submit scores for himself!
Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
0xSamman
  • 213
  • 1
  • 2
  • 7

1 Answers1

12

If anyone trace the requests and responses, Can he get the token from headers?

If an attacker is in a suitable position to perform a MitM (Man in the Middle) attack and is able to intercept and view the requests, then yes, they can get the token from headers. To prevent this, make sure that the REST service in use is using SSL/TLS. This will prevent MitM and replay attacks. The REST service must also make sure that these tokens are properly invalidated on the server-side once the user logs out and there should be a hard session time-out associated with these tokens.

Where should I store token in android client?

You can store them in your application's SharedPreferences. Read this answer for more details on it.

If I store token in somewhere like SharedPreferences and user access that He can send fake request to server!

Yes, a user can do that with their own session token. That's exactly what the token is used for. As far as accessing a limited controller is concerned, it is the responsibility of the service to make sure that the access control is proper on the server side and that user is only allowed to perform controlled requests to a particular endpoint.

The problem is, if an attacker gets hold of your valid session token, they'll be able to impersonate you on the application. But you've just made their task difficult by using SSL/TLS everywhere and by ensuring that application does not leak the session token in any way (for example, in the request URLs).

Rahil Arora
  • 4,307
  • 2
  • 23
  • 41
  • "made their task difficult ",So if I use SSL and send my request in HTTPS, attaker can see my api URLs, parametrs or header finally? – 0xSamman Apr 25 '15 at 15:40
  • No. But these URLs might end up in application logs, browser history, etc. and that's why should not contain anything sensitive. See: http://security.stackexchange.com/a/29600/22401 – Rahil Arora Apr 25 '15 at 15:59
  • You mean if I use HTTPS and POST all parametrs it's secure, yes? So can I use a second parametr such a "actionsecretkey" to prevent user to submit score himself? – 0xSamman Apr 25 '15 at 16:11
  • That is an access control issue and there are different ways of doing it. You can simply make a server-side check to control that. – Rahil Arora Apr 25 '15 at 16:17