I have a question which is not really related to android. but because i’m android developer i have taged this post as android post.
In my application i have a login page. in this page i take user name and password from user, then encrypt the password and after that i’m sending them to server for validation. according to response of server, i’ll do what i should do.
i think this process is risky. if someone hacks my code s/he can easily do cheat. and also because this project is stock market based project therefore it needs higher security. I afraid that if somebody hack this code, me as a developer or my company be responsible for this issue.
Now, the thing that i want is, the login page should be under control of my client’s server. this is my idea:
1- I’ll open a connection (the URL should be given to me by client)
2- I’ll open another connection to listen to the feedback from server
3- If server says OK, I let the user to go into application.
Is this a good way? Is there any other way?
If someone hacks your code, generally all bets are off. If you want to really protect something, you need to keep it on the server side.
As for not sending the username/password, you can have the client’s server act as an identity provider by using a standard protocol such as SAMLv2, OpenID or OAuth. You’ll have to select which one fits your needs, but the general idea is that users will login and authorize your app to see their data using you client’s server, and your app never needs to see their actual password.