quinta-feira, 19 de setembro de 2013

Android with Delphi - Authentication + URI Signature

POST #024 =======================================================================
Welcome back, everyone. This is warleyalex. Playing with Delphi mORMot and Android again. In this mini video, I would like to demonstrate mORMot authentication scheme using Android as client side.

Before hand to take a step further, I will explain to you that Delphi mORMot uses a technique for security called “Query Authentication”. Therefore, each REST request will expect an additional parameter named "session_signature" which will be appended at the end of the URI. As you know, all REST query must be authenticated by signing the query parameter. This signature will be checked against the valid sessions in order to validate any further request to mORMot server. This signature seems to be very effective and will avoid most of attacks such as Man-In-The-Middle and re-plays attacks.

Imagine a scenario in which a client sends an encrypted user name and password to a server to log in. If an attacker intercepts the communication (using monitoring software) and replays the sequence, he will obtain the same rights as the user. If the system enables password modification, he could even replace it with another, depriving the user of his access. In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

The man-in-the middle attack intercepts a communication between two systems. The MITM attack is very effective because of the nature of the HTTP protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the HTTP header, but it’s also possible to change an amount of money transaction inside the application context.

I'm having hard time trying to figure out how to implement Android-mORMot authentication scheme, the issue is I have zero expertise with Java-Android technology, but anyway… I created a similar java class to mimic authentication mORMot approach in Android. As you know, most Android and iPhones applications use an initial screen or dialog box to ask for credentials. My app accepts username and password from the user and sends to remote server application for authentication. Finally displays the main screen to the user, which there is an icon named “My Calc”, this was based on project 14 - Interface-based services.

The idea here was demonstrate “URI signature” feature in Android, in order to enhance security. These are some of the basic functionality. Of course, it would be nice if I could add others functionality such as change password, reset password feature through email or even registration. But I’m having a hard time to add feature to prompt the user to re-login (when the session is expired), but this is another story. So please stay tuned on upcoming videos. Thank you very much for listening, I'm warleyalex, and you take care.
 

domingo, 1 de setembro de 2013

Android with Delphi - CRUD

POST #023 =======================================================================
Delphi XE5 – (AKA Delphi for Android), is officially out today. It’s neither a Delphi compiler for Java nor generates Dalvik¹ VM bytecode. The compiler named “dccaarm” produces native applications with binary code, compiler builds native machine instructions ARM executables, generating automatically the package .apk. Emborcadaro guys are always stating the word native, the “native machine code” is better than and so on. To be honest, I think “native” here is synonymous of “sex”, anyone talking about it all the time generally is not doing it. In my opinion, seems to be a very interesting tool, despite the price of $ 1.5K - too expensive for most programmers.

Talking about price, size, Delphi and Android, take a look at what I'm trying to build: is a REST server with the old Delphi 7 with Android. The Android Client will list data in a simple widget listview. My first app does something useful, perform CRUD operations such as create, insert, or delete records. Eclipse with Android SDK generates this application to an .apk in 60 KB in size.


AHA! By contrast, an empty Hello World application project in Delphi for Android XE5 – the generated code (file with extension .so) a kind of shared objects library in Linux, is much bigger: around 5MB in size. How quickly does that native binary grow when you add more capability? Normally, I’m very optimistic, but recently I’ve becoming very pessimist with EMBT these days, but this is another story. So please stay tuned on upcoming videos. Next video, I'm going to talk about REST authentication using Android client. Thank you very much for listening, I'm warleyalex from Sete Lagoas, and you take care.

_______
Dalvik¹ Virtual Machine requires that the Java bytecode .class is converted to the Dalvik bytecode, so from compiled Java class files, the files are converted to the Dalvik VM bytecode to native files. dex. The Dalvik virtual machine Android normally does not run Java bytecode.