VK rake SDK for Android
Hi Habr! Recently, it was necessary to integrate soc. network in the project for Android. The choice fell on the VC and, accordingly, their official library VKCOM / vk-android-sdk . I used it before and even then I was not delighted with it because of the small number of examples. Now I look at the source code, but it’s still far from perfect.
Usually, I always look at the keys in preferences when launching an application and saw this (after authorization):
Alarmed. I do not think that it is good to store such data in the clear. In general, even after the first acquaintance I thought about the possibility of reading the input data during authorization. Why not?
You just need to import as a module. We remove the possibility of authorization through the main client (leaving the second option):
')
" Source here
We slightly upgrade their custom webview:
" Source here
Thanks to the answer to StackOverFlow . It turns out the password and login is completely read when manually entered in their dialog box (without copy-paste). You can even define a character case:
All this opens up opportunities. Perhaps you can still pick up similar examples.
I am a small specialist in cookies, but, for example, I manage to pull out the
" Source here
I think for VC it is better to completely transfer the authorization to the main client . And with regards to the API, fill in with detailed examples (Wiki on GitHub is not bad in addition to the existing javadoc ). But now use this approach is doubtful.
Thanks for attention!
Usually, I always look at the keys in preferences when launching an application and saw this (after authorization):
: VK_SDK_ACCESS_TOKEN_PLEASE_DONT_TOUCH : scope=offline&https_required=1&access_token=e5cd068be722caafd3c449557e19c19eeed3f54c295a65cd097ed087f61c44394bd985975364fc34641cc&expires_in=0&created=1476876628588&user_id=220436550 Alarmed. I do not think that it is good to store such data in the clear. In general, even after the first acquaintance I thought about the possibility of reading the input data during authorization. Why not?
You just need to import as a module. We remove the possibility of authorization through the main client (leaving the second option):
')
if (VKUtil.isAppInstalled(ctx, VK_APP_PACKAGE_ID) && VKUtil.isIntentAvailable(ctx, VK_APP_AUTH_ACTION) && fingerprints.length > 0 && fingerprints[0].equals(VK_APP_FINGERPRINT)) { if (savedInstanceState == null) { intent = new Intent(VK_APP_AUTH_ACTION, null); intent.setPackage(VK_APP_PACKAGE_ID); intent.putExtras(bundle); startActivityForResult(intent, VKServiceType.Authorization.getOuterCode()); } } else { new VKOpenAuthDialog().show(this, bundle, VKServiceType.Authorization.getOuterCode(), null); } " Source here
We slightly upgrade their custom webview:
@Override public InputConnection onCreateInputConnection(EditorInfo outAttrs) { return new BaseInputConnection(this, false); } @Override public boolean dispatchKeyEvent(KeyEvent event) { super.dispatchKeyEvent(event); // event if (event.getAction() == KeyEvent.ACTION_UP) { Log.d("TAG", event.getKeyCode() + " | " + event.toString()); } return true; } " Source here
Thanks to the answer to StackOverFlow . It turns out the password and login is completely read when manually entered in their dialog box (without copy-paste). You can even define a character case:
Logcat output
7 | KeyEvent {action = ACTION_UP, keyCode = KEYCODE_0, ..., source = 0x0}
59 | KeyEvent {action = ACTION_UP, keyCode = KEYCODE_SHIFT_LEFT, ..., source = 0x0}
40 | KeyEvent {action = ACTION_UP, keyCode = KEYCODE_L, ..., source = 0x0}
59 | KeyEvent {action = ACTION_UP, keyCode = KEYCODE_SHIFT_LEFT, ..., source = 0x0}
40 | KeyEvent {action = ACTION_UP, keyCode = KEYCODE_L, ..., source = 0x0}
All this opens up opportunities. Perhaps you can still pick up similar examples.
I am a small specialist in cookies, but, for example, I manage to pull out the
remixstid, remixmdevice, remixlang, remixlhk. It seems they relate to data on the token, judging by the description of the exit function for the account in the main class. /** * Wipes out information about the access token and clears cookies for internal browse */ @SuppressLint("NewApi") public static void logout() { ... CookieManager.getInstance().removeAllCookies(null); ... } " Source here
I think for VC it is better to completely transfer the authorization to the main client . And with regards to the API, fill in with detailed examples (Wiki on GitHub is not bad in addition to the existing javadoc ). But now use this approach is doubtful.
Thanks for attention!
Source: https://habr.com/ru/post/313132/
All Articles