Sample application was suspended from GooglePlay because it again: violates the deceptive device settings changes policy. Even when I already fixed first violation.
It's again because of usage of BIND_DEVICE_ADMIN for API 19. Since I have been actively working on version 3 of the KeystoreCompat library, I will solve this violation alongside with releasing that new library version
This is sample application pointing some security related practices on Android device.
SecurityShowcase architecture is MVVM based on Google's architecture component.
Complete server-side endpoint implementation for this project is available on GitHub KoTiNode.
SecurityShowcase application contains example of using standard Android Security with the Keystore. All Android Keystore related stuff is bundled in KeystoreCompat library (available in this source code).
KeystoreCompat library should help to prevent pain when starting work with keystore from the official documentation or StackOverflow discussion. The main point of this library is to provide the same services for all backward (...Compat) supported API versions (19+). The backward support is something, what all available libraries and blog posts lacks!
|KeystoreCompat default (K+)||KeystoreCompat|
Rooted device detection
Very lightweight but powerful solution is using RootBear library which is also used by KeystoreCompat library.
Another solution is to use robust google solution SafetyNet (used for example by AndroidPay solution). SafetyNet is complex online/offline device checking solution, but it requires Google Play Services dependency.
Json Web Token
SecurityShowcase backend/client is using Json Web Token (JWT) to wrap all authentization payload. JWT RFC 7519 is in fact base64 string (easy to transfer in header) containing lot of information and is readable by anyone. JWT is signed by the server, so server can verify JWT (returning from the client) to be not malformed.
How does the process works?
LOGIN PHASE / AUTHENTICATION
- client/app sends credentials (username/password) and requests authentication token (JWT)
- server creates JWT (based on correct credentials) and sign this token with the secret. JWT also contains additional information related to authentized user.
- client/app obtain proper JWT containing all information about the user and will store this token for the future use.
SECURED REQUESTS / AUTHORIZATION
- client/app bundle JWT to header of any secured request
- server verify obtained JWT against original secret (to be not malformed) and then use any information (token validity, users role, users id ...) in the token to authorize user for current operation.
Showcase contains sample implementation of communication with the graphql endpoint (besides the REST).
schema.json definition file is not composed manually, but is always completely downloaded from the server.
Before download just ensure you have already installed
apollo-codegen. If not install it by using
npm install apollo-codegen
schema.json using this command
apollo-codegen download-schema http://kotopeky.cz/graphql --output schema.json
GraphiQL console allows to try call query manually, let's try it here:
About GraphQl on the web
SecurityShowcase gradle notes
Switch keystore-compat-dependency local/maven
To use keystore compat directly from local sources uncomment
Build sample app
./gradlew dependencyReport --configuration compile
./gradlew dependencyInsighty --configuration compile --dependency com.android.support:appcompat-v7
./gradlew dependencyInsighty --configuration compile --dependency org.jetbrains.kotlin:kotlin-stdlib