Security showcase
| Branch | Status |
|---|---|
| master | |
| develop |
This is sample application pointing some security related practices on Android device.
SecurityShowcase architecture is MVVM based on Google's architecture component.
Complete server-side endpoint implementation for this project is available on GitHub KoTiNode.
Android keystore
SecurityShowcase application contains example of using standard Android Security with the Keystore. All Android Keystore related stuff is bundled in KeystoreCompat library (available in this source code).
KeystoreCompat library should help to prevent pain when starting work with keystore from the official documentation or StackOverflow discussion. The main point of this library is to provide the same services for all backward (...Compat) supported API versions (19+). The backward support is something, what all available libraries and blog posts lacks!
Read more about KeystoreCompat
Encrypted Realm
For sample implementation of the Realm persistence encryption look at DB Showcase repository.
Related article describing this encryption is available on Medium Encrypted Realm & Android Keystore
Rooted device detection
Very lightweight but powerful solution is using RootBear library which is also used by KeystoreCompat library.
Another solution is to use robust google solution SafetyNet (used for example by AndroidPay solution). SafetyNet is complex online/offline device checking solution, but it requires Google Play Services dependency.
Json Web Token
SecurityShowcase backend/client is using Json Web Token (JWT) to wrap all authentization payload. JWT RFC 7519 is in fact base64 string (easy to transfer in header) containing lot of information and is readable by anyone. JWT is signed by the server, so server can verify JWT (returning from the client) to be not malformed.
How does the process works?
LOGIN PHASE / AUTHENTICATION
- client/app sends credentials (username/password) and requests authentication token (JWT)
- server creates JWT (based on correct credentials) and sign this token with the secret. JWT also contains additional information related to authentized user.
- client/app obtain proper JWT containing all information about the user and will store this token for the future use.
SECURED REQUESTS / AUTHORIZATION
- client/app bundle JWT to header of any secured request
- server verify obtained JWT against original secret (to be not malformed) and then use any information (token validity, users role, users id ...) in the token to authorize user for current operation.
GraphQL
Showcase contains sample implementation of communication with the graphql endpoint (besides the REST).
Apollo client
Graph schema
schema.json definition file is not composed manually, but is always completely downloaded from the server. Before download just ensure you have already installed apollo-codegen. If not install it by using npm install apollo-codegen
Generate schema.json using this command apollo-codegen download-schema http://kotopeky.cz/graphql --output schema.json
GraphiQL
GraphiQL console allows to try call query manually, let's try it here:
About GraphQl on the web
02/2017 Using Apollo client for Android 0.1.0
04/2017 Using Apollo client for Android 0.3.0
SecurityShowcase gradle notes
Build sample app
./gradlew assembleRostiRelease
Dependency diagnostic
./gradlew dependencyReport --configuration compile./gradlew dependencyInsighty --configuration compile --dependency com.android.support:appcompat-v7./gradlew dependencyInsighty --configuration compile --dependency org.jetbrains.kotlin:kotlin-stdlib