0

So I'm all very new to Java and developing for Android, but I somehow managed to get a successful idToken when logging into my app via Google.

I read on the Android dev site that just ID's are not safe as a modified client could send a fake one and result in impersonation of another user, so I followed their steps to get the user's idToken.

Anyway, is this safe to send over a URL to my server at home? For example, like so (pretend the long string of random text is the idToken of the user):

http://130.155.122.8/api_test/h78e568e7g6589gjkdfhjghdjfkghjkdfhgjkdfhk7hg9867458g74598hg6745896gh49/command

Also, is the idToken even required? Could I just as easily use the user's email address to identify the user (again, it would be sent over an insecure URL, no HTTPS)?

Thanks!

Improve this question

2 Answers 2

Reset to default
1

You should use encryption, if someone gets the token from a user they can impersonate that user, in my case, since i can't aford ssl (for now) i encrypt the token using asymetric encryption, and i send it to the server, but ssl is the best way

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hmm, the asymmetric encryption seems like a good solution for me. Thanks
Look at this, stackoverflow.com/questions/38938950/… , this is not the best way to do things but it will encrypt the user token, make sure you save the private key on a safe place
I'm actually running a Python server. Do you know how to encrypt with Java and decrypt with Python?
i not an expert on python, in java you can use the same code, python you can look at this stackoverflow.com/questions/30056762/… you need to find a way to use a .pem key on that exemple
thats a type of ssl right? we need shell access to install it or am i wrong?
1

Generally speaking - No.

A token that identifies you should never be transmitted over an insecure connection (e.g. http). Since on such connections no encryption is used, a third party can very easily monitor the connection and get your token (leading to the impersonation issue).

IANAE, but any security-relevant data (e.g. idToken or password) should only ever be transmitted over a secure (encrypted) connection (e.g. https).

And using the e-mail address does not solve the issue. You simply replaced one identifier for another one. And if anyone ever were to know a user's e-mail address, he could impersonate said user. Stick to the "documented" authentication techniques. If done right they should be safe.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.