I'm working on adding Web Authentication for the Android Application.
Web Authentication is nothing I've ever bothered with, as I rely on using
https and apache authentication in front of the mh web server.
I do however need to support Web Authentication on the Android Application for
those who want to use web authentication.
The Android application uses the mh http_server as the conduit for fetching xml
from mh for display updates. The application also uses the mh http_server for
set commands (object state) and run commands (running voice commands).
Before implementing web authentication, the android app was using an internal
sub android_xml subroutine for fetching the xml. The application was using
the internal SET and RUN methods already implemented in the http_server. In
order for android_xml to run properly, it was necessary to add &android_xml
in the password_allow file when web authentication was in play. It wasn't
until recently that I really understood why.
After turning on web authentication, the android application quickly broke
down because the http_server would block all SET and RUN requests because
the android application has no means to response to the password HTML
form which is presented to a web browser.
My solution is to use three subroutines android_xml, android_set, and
android_run. All three will bypass the authentication check in the http_server
by adding them to the password_allow file. I will then do the same level
of authentication in the android_server, which sits behind http_server. I
*think* I need to do it this way because I don't know how I would handle
satisfying the password challenge form provided by the http_server.
Finally, here is my question. To perform the authentication, I send a password
which is stored on the android/phone for each xml, set, run command in the http
URL request. The password is compared against the password entered in the
set_password program, using logic in android_server which is basically the
same logic used in http_server.
The password which is sent on each command is sent in the clear. This doesn't
seem very secure. It's sent in the clear for http_server too, but not as
often. I think it's fetched from a cookie by the http_server at later times,
but I'm not 100% sure how that works.
I guess the authentication prevents anyone from pointing the android application
at my server address and gaining access. In my case, I would be using
https and apache authentication to guard anyone from doing such things.
I'm just worried that I'm doing something bad by sending this password in the
clear over and over again.
Any advice appreciated.
I'm not looking to solve or replace the existing authentication. I just want
to validate that I'm not introducing some new security breach that we didn't
already have before with the existing http_server.
On 11/09/2012 02:15 PM, Jim Duda wrote:
> I'm working on adding Web Authentication for the Android Application.
> Web Authentication is nothing I've ever bothered with, as I rely on using
> https and apache authentication in front of the mh web server.
Tom helped me out with this issue. I'm going to follow the same solution
that he used for his iPhone interface. It's a much less complicated and
more seemless solution that the one I had in mind. I should have an updated
android release next week which supports authentication, MH style.