OAuth in mob1serv: Android point of view

OAUTH AUTHORIZATION IN CLIENT-SERVER APPLICATIONS for iPhone / Android presentation by Taras Filatov for Londroid meetup www.mob1serv.com © Injoit and YAS, 2010

History http://www.injoit.com/blog/2009/02/20/an-idea-for-saving-game-scores-online-for-iphone- apps/

OAuth http://oauth.net/ http://oauth.net/code/ http://code.google.com/p/oauth-signpost/ http://groups.google.com/group/oauth

iGetScoresand Android online high scores API for iPhone http://www.igetscores.com/ http://www.mob1serv.com/high-scores/

iGetScores OAuth nonce / time zones problem http://www.injoit.com/blog/2009/06/26/getting-to-know-oauth/ diﬀerent time zones of players caused OAuth to stop working

Mob1serv http://www.mob1serv.com/ • Mob1serv is a SaaS suite providing a single solution to all typical server side tasks faced by mobile developers • One library, 5 min installation • Huge added value for end users: Online High Scores, IM/PM (direct messaging), Events Notiﬁcation, GPS location tracking, Banners Manager, http://www.mob1serv.com/help/quick-install/ Facebook / Twitter / Google integration, Files storage etc • Serious business class service, no annoying ads or 3rd party advertisement

OAuth in Mob1serv http://www.mob1serv.com/oauth-contracter/ PLATFORMS 1st version: client: iPhone; server: PHP NOW: client: iPhone / Android library; server: Ruby on Rails IDENTIFICATION 1st version: UDID NOW: 1) login 2) login+password 3) iPhone UDID / Android ID

OAuth in Mob1serv http://www.mob1serv.com/oauth-contracter/ AUTHENTICATION EVOLUTION 1st version: Standard OAuth ‘3-legged’ scheme * 2 keys: Consumer and Secret * Application works with server through HTTP requests (data is NOT encrypted, it is only signed with HMAC-SHA hash) * App sends Consumer Key and Consumer Secret to receive Access Token and Access Token Secret * App sends Consumer Key, Consumer Secret, Access Token, NOW: improved scheme (simpliﬁed but more secure) * Consumer Key replaced with Token * All requests are signed with merged parameters hash + Consumer Secret but Consumer Secret is NEVER transmitted openly to avoid Man-in-the-middle attacks * Timestamp and nonce are still used to avoid Replay attacks

OAuth Contracter http://www.mob1serv.com/oauth-contracter/ Modules (API wrappers): * Twitter * Facebook * Yahoo SERVICE (Twitter / APP OAuth Contracter Facebook / Yahoo) Libraries: * iPhone * Android

Thank you! Contacts • e-mail: taras@injoit.com • www: www.injoit.com • www: www.mob1serv.com • twitter: INJOIT and MOB1SERV

http://www.injoit.com	628
http://old.injoit.com	3
http://translate.googleusercontent.com	2
http://cc.bingj.com	1
http://webcache.googleusercontent.com	1
http://feeds.feedburner.com	1

OAuth in mob1serv: Android point of view

by Injoit

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 636

Statistics

OAuth in mob1serv: Android point of view Presentation Transcript