security - Authentication scheme for an Android application: When the SIM card is locked or exhanged by another, the app stops working -
i need implement convenient way determine, whether mobile app being used valid customer or not. customers told me if lose mobile phone, contact operator , lock sim card.
so, seems natural bind authentication sim card validity (the app works long correct sim present , not locked). then, in case of loss customer needs lock sim card, or anyway (because internet banks send sms approving transactions mobile phone).
i tried read sim-card related data, works on phones , not on others (sometimes empty strings instead of imei number).
how can implement authentication mechanism, is
- easy user (does not require user generate/enter new password),
- provides app information whether inserted sim card
- the same sim there @ first start of application and
- not locked?
if it's impossible, authentication alternatives there (apart e-mail/password , phone number sms confirmation) ?
update 1 (11.08.2013 14:17 msk): 1 obvious solution use phone number login name , server-generated 6-digits number password.
then, authentication work this:
- at first run, user enters or mobile phone number.
- the server sends him or message (sms) 6-digit password.
- the user enters password , app starts work.
- in regular intervals app asks user renew password (new passwords delivered via sms well).
what think option?
can improved somehow?
if lock app sim properties , requires properties presented unlocking app, have thought store properties in app (hard coded, database, file, preferences,...)? or thinking contact server verification? both way, may end in complex solution possible security flaws. sim serial number unique @ same time public, can't rely on property lock app.
telephonymanager class gateway accessing sim properties( class exposes users privacy in number of ways). of now, there no android crypro api exposed perform cryptographic operations in sim. but, since customer can contact operator, may consider ask operator sign app. in case, may have way use sim card secure element. there discussion on this thread. pin code based limited number of attempts way implement simple authentication accessing app. may implement @ application layer without involving sim card.
hope helps.
Comments
Post a Comment