Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
andrey19312017-10-12 11:48:16
Classmates
andrey1931, 2017-10-12 11:48:16

How can I protect myself from receiving tokens on behalf of my OK application by other mobile applications?

I have an android mobile app. In it, I get an OK token using the OK Android SDK. To get an OK token, I need to register app_id and app_public_key in my mobile application.
What will stop a person who will get the credentials from my application and start using it in his own?
For VK, FB and GOOGLE, the connection of the Oauth application with the fingerprint of the mobile application protects against this. But in Odnoklassniki, I don’t see anything like that.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
Vjacheslav Kanivetc, 2017-10-12
@andrey1931

What do you have in mind? OAUTH is an open protocol.
Client OAUTH only implies the transmission of a valid client_id, which is not secret and can be spoofed.
If you want to ensure that only you are authorized as your application, then use the server OAUTH https://apiok.ru/ext/oauth/server . But it requires signing with the application's secret key, which is easy to catch on the client. Therefore, this option is not built into ok-android-sdk; when used on clients, its security is illusory.
The second authorization option is SSO when the application is OK installed on the device. The signature of your application is not transferred there. But even if it were transmitted, how much could this information be trusted? And how convenient it would be to register new fingerprints for each update of the application, especially considering that there is no difficulty for an attacker application to issue one of the previously registered fingerprints of your application.
In general, the essence of the request is unclear
PS: But you can protect yourself - you are making an application where you run the server part of the authorization through the communication application <-> your server <-> server is ok, while not enabling client OAUTH authorization in your application.

Similar questions
I
inna00462014-12-06 12:52:00
How to find a page in classmates by phone number? 1Reply
C
Caprizca2016-12-05 08:43:55
How to get VALUABLE_ACCESS permission? 0Reply
E
Egor Loskutov2016-12-18 21:00:35
Why did a lot of securityError appear when uploading user profile pictures on the Odnoklassniki social network? 2Reply
R
rusbeldoor2019-05-25 10:07:12
How do I remove apps from My Downloads? 0Reply
S
Sergey2021-01-29 08:58:54
How to remove product photos in the Odnoklassniki API by deleting a product? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question