Reputation: 663
How to implement Security/Authentication with WCF and Android. Please Include examples
I have a Wcf web service and an android application that makes calls to the service methods. It is a requirement that some sort of authentication take place, preferably with a username/password combo. The data is not sensitive but I just need to make the service only accessible from the android application. Any help is greatly appreciated.
I have multiple methods very similar to this
<OperationContract()> _
<WebInvoke(Method:="GET", ResponseFormat:=WebMessageFormat.Json, BodyStyle:=WebMessageBodyStyle.WrappedResponse, UriTemplate:="endpoint?busUnit={busUnit}")> _
Function lstJobsSVC(busUnit As String) As List(Of JobsView)
Then I implement the method in the service as follows
Public Function lstJobsSVC(busUnit As String) As List(Of JobsView) Implements IService1.lstJobsSVC
Dim entities As New RemoteTimeEntities()
WebOperationContext.Current.OutgoingResponse.ContentType = "application/json; charset=utf-8"
Return entities.lstJobs(busUnit).ToList
End Function
And then in android
URL json = new URL("http://localhost/json/Service1.svc/"+ "functions endpoint";
HttpURLConnection jc = (HttpURLConnection) json.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(jc.getInputStream()));
readLine = reader.readLine();
JSONObject jsonResponse = new JSONObject(readLine);
JSONArray jsonArray = jsonResponse.getJSONArray("get json array name");
Now All of this code works fine I just do not understand how to implement authentication that will work between the two.
Upvotes: 0
Views: 1523
Answers (1)
Reputation: 8866
I assume you got the calls itself working correctly. If so, the simplest (yet secure enough) method to authenticate clients would be:
- Client sends login and SHA-1 or SHA-256 hash of the password (do not use other hash algorithms - until you know it better. SHA-256 option is better)
- Server finds the corresponding password hash of that user and compares it with the value sent by client. If the hash is the same, everything's fine.
This method requires an SSL connection to be fully secure (to protect against eavesdropping/replay attacks)
If you need to restrict the data to android app only, you need to encrypt the payload with the AES key known only by both server and client applications. Use only CBC or CTR modes.
You can combine both methods if needed. But keep in mind that security is a very tough matter, and the approaches I've described are only "so good". Don't put confidential info in the app, if you don't know exactly what you're doing.
Upvotes: 1
Related Questions
- Authentication for Android app connecting to a WCF service (on-prem environment)
- WCF security authentication
- How to consume Wcf rest servcie(Form authentication) from android client
- User Authentication
- WCF Services with Windows Authentication and Varied Clients
- Need advice on authentication for android client connecting to the WCF Rest setup
- How to secure WCF service which an Android app will use?
- Authentication Service using WCF
- How to implement simple WCF security
- How to use OAuth from Android app and WCF webservices?