Welcome back, everyone. This is warleyalex. Playing with Delphi mORMot and Android again. In this mini video, I would like to demonstrate mORMot authentication scheme using Android as client side.
Before hand to take a step further, I will explain to you that Delphi mORMot uses a technique for security called “Query Authentication”. Therefore, each REST request will expect an additional parameter named "session_signature" which will be appended at the end of the URI. As you know, all REST query must be authenticated by signing the query parameter. This signature will be checked against the valid sessions in order to validate any further request to mORMot server. This signature seems to be very effective and will avoid most of attacks such as Man-In-The-Middle and re-plays attacks.
Imagine a scenario in which a client sends an encrypted user name and password to a server to log in. If an attacker intercepts the communication (using monitoring software) and replays the sequence, he will obtain the same rights as the user. If the system enables password modification, he could even replace it with another, depriving the user of his access. In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.
The man-in-the middle attack intercepts a communication between two systems. The MITM attack is very effective because of the nature of the HTTP protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the HTTP header, but it’s also possible to change an amount of money transaction inside the application context.
I'm having hard time trying to figure out how to implement Android-mORMot authentication scheme, the issue is I have zero expertise with Java-Android technology, but anyway… I created a similar java class to mimic authentication mORMot approach in Android. As you know, most Android and iPhones applications use an initial screen or dialog box to ask for credentials. My app accepts username and password from the user and sends to remote server application for authentication. Finally displays the main screen to the user, which there is an icon named “My Calc”, this was based on project 14 - Interface-based services.
The idea here was demonstrate “URI signature” feature in Android, in order to enhance security. These are some of the basic functionality. Of course, it would be nice if I could add others functionality such as change password, reset password feature through email or even registration. But I’m having a hard time to add feature to prompt the user to re-login (when the session is expired), but this is another story. So please stay tuned on upcoming videos. Thank you very much for listening, I'm warleyalex, and you take care.