OAuth in mob1serv: Android point of view


Published on

A short presentation given by Taras Filatov, director of Injoit.com at Londroid (Android in London, http://bit.ly/ciDOBF) Meetup on 17th of June 2010.

This covers some aspects of using OAuth in mob1serv (universal server API for iPhone and Android) and in general of OAuth for Android platform.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

  • OAuth in mob1serv: Android point of view

    1. 1. OAUTH AUTHORIZATION IN CLIENT-SERVER APPLICATIONS for iPhone / Android presentation by Taras Filatov for Londroid meetup www.mob1serv.com © Injoit and YAS, 2010
    2. 2. History http://www.injoit.com/blog/2009/02/20/an-idea-for-saving-game-scores-online-for-iphone- apps/
    3. 3. OAuth http://oauth.net/ http://oauth.net/code/ http://code.google.com/p/oauth-signpost/ http://groups.google.com/group/oauth
    4. 4. iGetScoresand Android online high scores API for iPhone http://www.igetscores.com/ http://www.mob1serv.com/high-scores/
    5. 5. iGetScores OAuth nonce / time zones problem http://www.injoit.com/blog/2009/06/26/getting-to-know-oauth/ different time zones of players caused OAuth to stop working
    6. 6. Mob1serv http://www.mob1serv.com/ • Mob1serv is a SaaS suite providing a single solution to all typical server side tasks faced by mobile developers • One library, 5 min installation • Huge added value for end users: Online High Scores, IM/PM (direct messaging), Events Notification, GPS location tracking, Banners Manager, http://www.mob1serv.com/help/quick-install/ Facebook / Twitter / Google integration, Files storage etc • Serious business class service, no annoying ads or 3rd party advertisement
    7. 7. OAuth in Mob1serv http://www.mob1serv.com/oauth-contracter/ PLATFORMS 1st version: client: iPhone; server: PHP NOW: client: iPhone / Android library; server: Ruby on Rails IDENTIFICATION 1st version: UDID NOW: 1) login 2) login+password 3) iPhone UDID / Android ID
    8. 8. OAuth in Mob1serv http://www.mob1serv.com/oauth-contracter/ AUTHENTICATION EVOLUTION 1st version: Standard OAuth ‘3-legged’ scheme * 2 keys: Consumer and Secret * Application works with server through HTTP requests (data is NOT encrypted, it is only signed with HMAC-SHA hash) * App sends Consumer Key and Consumer Secret to receive Access Token and Access Token Secret * App sends Consumer Key, Consumer Secret, Access Token, NOW: improved scheme (simplified but more secure) * Consumer Key replaced with Token * All requests are signed with merged parameters hash + Consumer Secret but Consumer Secret is NEVER transmitted openly to avoid Man-in-the-middle attacks * Timestamp and nonce are still used to avoid Replay attacks
    9. 9. OAuth Contracter http://www.mob1serv.com/oauth-contracter/ Modules (API wrappers): * Twitter * Facebook * Yahoo SERVICE (Twitter / APP OAuth Contracter Facebook / Yahoo) Libraries: * iPhone * Android
    10. 10. Thank you! Contacts • e-mail: taras@injoit.com • www: www.injoit.com • www: www.mob1serv.com • twitter: INJOIT and MOB1SERV