We are considering using Titanium to develop for Android and iPhone version of an application originally made for Blackberry. However, we want the authenticate the device and not through the traditional method (username + password). In the case of Blackberry, we use Blackberry PIN to authenticate devices against a database of a web service. We think using the IMEI of the device, but do not know how safe it is.
Does anyone know a way to authenticate a device using a similar method? Is it possible to extract the IMEI of a team using Titanium?
There are standard calls that allow us to authenticate by MEID on handset, (PlatformMgr.getPlatform().getDeviceId() comes to mind for android). You can get this and encrypt it with AES 128-bit encryption (IcryptoManager package) and use it for authentication.
I dont remember off the top of my head for iphone but I am sure something similar exists there too.
Related
I created a Webauthn authentication for my website.
Now I'm trying to create a good interface for the best user experience. My users are not techies.
I'm interested in the fingerprint authentication as option. The webauthn via Yubico 2 or Google Titan keys is very rare in my users. When the users log in with email and password, I want to show a message like "Do you want to register your fingerprint for your next access? [Register now]".
I would like to show the message to the right users.
So, how to decide in which cases show the message?
According to https://caniuse.com/#search=PublicKeyCredential,
first of all I can use a test like this:
var support_webauthn = (typeof window['PublicKeyCredential'] !== "undefined")
This test determine if the browser supports the public keys authentication, but also passing the test I don't know if the hardware has a fingerprint sensor.
I know that the Android devices allows the Webauthn fingerprint authentication (instead of iPhone, for example). So, in addition of this I can check if the OS is Android
isAndroid = /android/i.test(navigator.userAgent);
But in this case I cannot show the message to the users with another supported device - e.g. with a Macbook pro (with the fingerprint sensor working).
How can I approach the issue?
Short answer: WebAuthn will not allow you to perform such operations like probing whether Authenticator has fingerprint sensor or not in advance before credential creations.
But What you can do using PublicKeyCredential that allows you to detect if the user has built-in authenticator such as Windows Hello, TouchID, Android device with a fingerprint sensor (even without a fingerprint sensor, screen lock can provide equivalent user verification functionality) using the PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable. So this function returns a Boolean value and you can check it using JavaScript if users have built-in authenticator, if so processed and you will be able to register a user using the fingerprint sensor or screen lock or else don't prompt the user that's so simple. I personally never looked at the android but in general, this is useful to detect built-in authenticators.
Update as of chrome version 77 you can make use of extensions which is provided by PublicKeyCredentialCreationOptions.extensions object which is an optional and developers can make use of it by specifying during creation credentials extensions object and set UVM boolean to true.
extensions : {
uvi: true,
uvm: true
},
After credential creations, the client outputs an array of arrays with 3 values containing information about how the user was verified (e.g. fingerprint, pin, pattern) and other information. But Keep in mind in the advance developer cannot probe if a device has a fingerprint sensor or not. Please have a look at developer.mozilla.org for further explanation.
However, to play around webAuthn using android sample project can be found here:
https://fidoalliance.org/developer-tutorial-webauthn-web-fido2-android/
https://codelabs.developers.google.com/codelabs/webauthn-reauth/#0
Currently using build.phonegap.com and parse.com to enable push notifications across two platforms (Android and iOS).
Using the PhoneGap PushPlugin and parse.com REST API I'm able to register an Android device and send the details to parse successfully.
Although I have problems and questions regarding sending the "Pushes".
1.1) When registering an "installation" (https://parse.com/docs/rest#installations-uploading) I'm dynamically creating a random UUID installationId. Is this correct? Or does parse.com have to do this?
1.2) For Android I'm registering pushType for GCM, as I'm not using the Android SDK. Which leads me to question 2.
2) When I setup my Android app settings for push, I'm given a server API Key... parse.com has a keys section, but only for Windows and iOS... does this mean they can't send push using GCM for Android? Even though you can select this when uploading an installation?
The short question. Is it possible to use just the parse.com REST API to register Android devices to send push via GCM (Androids native push service)? Apple devices are working using this method to register them and send notifications.
To answer your short question: Is it possible to use just the parse.com REST API to register Android devices to send push via GCM (Androids native push service)?
Yes
I did not have to set installationId and I set pushType to "gcm".
In Parse settings, there is a section "GCM Push Credentials" where you enter "Sender ID" and "API Key". You get both of these from Google. When you create the Parse Installation, you also have to set GCMSenderId to the same thing as "Sender ID".
Note: I'm using the cordova push notification plugin and had to make some changes to PushPlugin.java to get background push notifications to work with the way Parse sends them. That's another topic though.
If this helps anyone - I moved over to using PushWoosh with a PhoneGap Build plugin - very simple and integrates in minutes. PushWoosh also has easy integration with Apple to setup and generate certificates (which is great when working on a PC).
https://build.phonegap.com/plugins/1297
I'm creating a web application for mobile devices that will be downloaded in one of the markets with a mini web server and run on any OS ( iOS , android , Windows8 , etc. ) .
I want an application to be as independent as possible of the OS. I only wanted to use HTML5 and JavaScript .
The application allows a user to make a number of orders just by clicking buttons. Example : [List contacts ]
I need to click [List contacts ] and is sent a text message automatically to other mobile device with an android application that receives the request and sends the response via sms . The response has to be read by my web application . The application can be able to work without network / Wifi .
I've been searching and I only found ways to open the native application for sending sms.
I see that question, but I want to create my own way to send sms without dependencies of other applications.
Is there any way to make this submission automatically?
Or can I use/create some plugin to use on JavaScript to do that?
[EDIT] Can this might be a possibility? Can someone explain me?
I believe the essential information was already mentioned in the comments, but my 2c here anyway.
As already commented, with current modern mobile operating systems apps don't get unlimited access to SMS functionality. From the user point of view allowing this would be potentially quite a hazard, since SMS's usually cost money and user should be in control of such activity, instead of having a random app sending and receiving SMS's freely (without user knowing it). Android is a bit more flexible regarding this kind of functionality, but as mentioned, iOS and also Windows 8/Windows Phone 8 only allows you to integrate to the SMS sending application and for SMS reception, there's no proper way to get access to incoming SMS's.
So, with a native container (such as PhoneGap) you could get one step forward with Android, but for other platforms the possibilities are limited to using the native SMS application. If you need to use SMS for some reason in the backend side, services such as Twilio are probably your best shot, but using SMS locally on the device is pretty much a no-go, unfortunately.
Is there a Javascript framework that allowed to access to user's phonebook contacts?
There is no such API developed but you can use PhoneGap. This helps you fetch phone contacts.
As a convention, browsers do not have permission to work with native device APIs due to security issues.
To achieve it, you have to use middle-platform such as Phonegap.
http://phonegap.com/
I am developing a PhoneGap application and require my users to sign in through Google with OAuth2. Is this possible directly through JavaScript? I have almost no experience with JavaScript (and jQuery).
What are the options? I have thought of a cumbersome alternative which involves posting the username/password to an application I have hosted on a server which then takes care of logging in. Then the PhoneGap app will have to ask the server if the authentication was successful. However, I was hoping there would be a simpler way.
What is the best way signing in through Google on a PhoneGap app?
I have managed to get it working! I'm posting my thoughts here because I had a hard time finding the answer after hours of searching the web.
The important steps are:
Make sure ChildBrowser works properly
Setup a function that will listen to page changes
window.plugins.childBrowser.onLocationChange = function(fooUrl) { console.log(fooUrl); }
Build the URL with the query string as described in this tutorial
Point ChildBrowser to the URL
When the user logs in, you will be able to extract the session token from fooUrl
If you still don't know how to do this, have a look at this Android app.
(There is a lot of code, and it might seem overwhelming, so I suggest only going for this as a last resort)
Google will not allow you to perform direct authentication by handling the user credentials directly. Instead Google wants you to perform an authentication protocol, typically OAuth 2.0. Other popular authentication protocols you may hear about is OpenID 1.0, 2.0, OpenID Connect, SAML 2.0, ID-FF, etc. These protocols will redirect the user to the Identity Provider (Google, in this case), and send you back with an assertion that you may use to trust the user. With APIs, like Google, you would make use of the authorization functionality of OAuth, which provides you with a token that you may use with all Google APIs after authentication.
A good introduction to how OAuth 2.0 works
With PhoneGap and mobile apps, things are a bit different than the typical OAuth setup.
In your case, the browser is in a controlled environment, your app, and you may
select to redirect the user to Google Authorization endpoint using the main view,
select to open a ChildBrowser with the Google Authorization endpoint, to not lose any state on your app.
to somehow open Safari or another browser with the authorization endpoint, and register a custom schema handler, to redirect the user back to your app after authentication.
These examples are vaguely mentioned in the OAuth 2.0 specifications, but there are no aid in what is the best or optimal in a specific use case. Often the best possible option is not perfect (from a user perspective).
I recently wrote a tutorial on how to make this work with Phonegap and ChildBrowser for iOS.
OAuth 2.0 Guide for Phonegap using ChildBrowser and JSO