A short presentation given by Taras Filatov, director of Injoit.com at Londroid (Android in London, http://bit.ly/ciDOBF) Meetup on 17th of June 2010. This covers some aspects of using OAuth in mob1serv (universal server API for iPhone and Android) and in general of OAuth for Android platform.

1. OAUTH AUTHORIZATION
IN CLIENT-SERVER APPLICATIONS
for iPhone / Android
presentation by Taras Filatov
for
Londroid meetup
www.mob1serv.com
© Injoit and YAS, 2010

2. History
http://www.injoit.com/blog/2009/02/20/an-idea-for-saving-game-scores-online-for-iphone-
apps/

3. OAuth
http://oauth.net/ http://oauth.net/code/
http://code.google.com/p/oauth-signpost/
http://groups.google.com/group/oauth

4. iGetScoresand Android
online high scores API for iPhone
http://www.igetscores.com/
http://www.mob1serv.com/high-scores/

5. iGetScores
OAuth nonce / time zones problem
http://www.injoit.com/blog/2009/06/26/getting-to-know-oauth/
different time zones of players
caused OAuth to stop working

6. Mob1serv
http://www.mob1serv.com/
• Mob1serv is a SaaS suite providing a
single solution to all typical server side
tasks faced by mobile developers
• One library, 5 min installation
• Huge added value for end users:
Online High Scores, IM/PM (direct
messaging), Events Notification, GPS
location tracking, Banners Manager,
http://www.mob1serv.com/help/quick-install/
Facebook / Twitter / Google integration,
Files storage etc
• Serious business class service, no
annoying ads or 3rd party advertisement

7. OAuth in Mob1serv
http://www.mob1serv.com/oauth-contracter/
PLATFORMS
1st version: client: iPhone; server: PHP
NOW: client: iPhone / Android library; server: Ruby on Rails
IDENTIFICATION
1st version: UDID
NOW: 1) login 2) login+password 3) iPhone UDID / Android ID

8. OAuth in Mob1serv
http://www.mob1serv.com/oauth-contracter/
AUTHENTICATION EVOLUTION
1st version: Standard OAuth ‘3-legged’ scheme
* 2 keys: Consumer and Secret
* Application works with server through HTTP requests
(data is NOT encrypted, it is only signed with HMAC-SHA
hash)
* App sends Consumer Key and Consumer Secret to receive
Access Token and Access Token Secret
* App sends Consumer Key, Consumer Secret, Access Token,
NOW: improved scheme (simplified but more secure)
* Consumer Key replaced with Token
* All requests are signed with merged parameters hash +
Consumer Secret but Consumer Secret is NEVER
transmitted openly to avoid Man-in-the-middle attacks
* Timestamp and nonce are still used to avoid Replay attacks

9. OAuth Contracter
http://www.mob1serv.com/oauth-contracter/
Modules (API wrappers):
* Twitter
* Facebook
* Yahoo
SERVICE
(Twitter /
APP OAuth Contracter Facebook /
Yahoo)
Libraries:
* iPhone
* Android

10. Thank you!
Contacts
• e-mail: taras@injoit.com
• www: www.injoit.com
• www: www.mob1serv.com
• twitter: INJOIT and MOB1SERV