We have a use case where we need to protect a login/sign up endpoint from bad actor. This endpoint is expensive for us, because we need to send a One Time Password (OTP) to the submitted number.
A few prevention already in place, such as:
IP rate limiting
Phone number prefix check. They usually call the endpoint with number in sequence.
Only enable "Resend" button in the mobile app after 60 seconds & gradually increase.
This bad actors still find a way to pass our check. We want to introduce captcha challenge on our mobile app. reCAPTCHA v3 looks promising since it does not sacrifice user experience on the app.
Our app is written in react native & need to support both iOS & Android. So we must integrate it to our app by calling WebView.
Is this captcha effective enough to detect BOT, since there is not much interaction in the web view?
Related
The view.publish API can be used to provide an interactive interface to the user.
However, there is a delay of several seconds between the time my app receives the app_home_opened event and the time it calls the view.publish API, because my app should retrieve data. During this time, I would like to display a loading circle in App Home.
There is no mention of how to display it in the Slack API documentation. Apps like Google Calendar do this, so this should not be impossible.
Does anyone know of a way to do this?
How do I do cross-platform reCAPTCHA in Xamarin Forms?
Thanks
There are 2 ways of creating your own captcha that I know about. The simple one doesn't require a server for verification. which is to show a number or an image and ask the user to recognize that image or text. The verification will happen locally so it's not dynamic but you can lock the system after several trials and apply a good RNG to limit the automation attacks.
The second type will require a web service to get the image or the random text from the server. When the user registers or log in or call the other service that you want to protect, send this value with it and validate it before processing the request to save traffic.
I am following the tutorial located here: https://developer.xamarin.com/guides/xamarin-forms/cloud-services/authentication/oauth/
I got to the step titled: Presenting the Sign-In User Interface.
It says that, "When the Login method is invoked, the sign-in user interface is presented to the user in a tab from the device's web browser."
Now is this really the process when using Xamarin?
Because the other apps I've downloaded and played with don't open the browser and then open a new tab to give me a choice of which account to choose. Those apps pop up a small page on top of the app and allows me to select an account.
If this Xamarin process is different I am not going to use it when developing my app. Please clear this up for me thanks.
There is no such thing as as "Xamarin's way of oAuth".
oAuth is about authenticating users through 3rd parties like Google, Facebook, Twitter etc. There are different oAuth flows which are mostly used: the implicit grant and the authorisation code grant. For mobile apps the implicit flow is common because auth code flow involves the app keeping a secret which a mobile cannot really guarantee. For a great overview of these flows I can recommend this lecture from Xamarin.University.
These flows are the same no matter which underlying development stack you are using.
The documentation you are referring to is using a library to help using these flows: Xamarin.Auth. As a matter of fact you don't have to use this library at all. This library helps with storing tokens, sending requests that include the required tokens, detect endpoint redirects etc. Part of using this library is presenting the UI where the 3rd party vendors login form is shown.
This is what you do when calling:
var presenter = new Xamarin.Auth.Presenters.OAuthLoginPresenter();
presenter.Login(authenticator);
The actual implementation of presenting the UI is platform specific. On iOS the UI os shown modally if that's how you are coding it. If you change this code to show the UI as a small popup floating on top of existing content, you can of course do this. This is true for any given platform.
I have a mobile IOS application which is basically group chat oriented. I was wondering if I can make it beacon-enabled app. With other words, application which can detect beacons, determine id, receive short ads etc. I am quite new to beacons, still reading a lot about it. I found this article which makes me believe that maybe it is possible to achieve my goal.
I want my app, except for its original functionality, to be able to:
Detect a beacon (even if app is in background, without the need to have been paired or whatever)
Receive simple ads by the beacon (while using the app in a certain mode, to be able to project the ads on phone's screen)
Read some real-time info(if required by the user) like: speed(if moving beacon), temperature etc.
In order to achieve all that I would like not to disturb the end user by making him download additional stuff related to the beacon. I want him to have my app and that's all.
You can monitor for beacons while your app is in the background. You can do this by using the CoreLocation Framework or by using a framework of your beacon supplier. (e.g. Estimote)
To the ads: The beacon will only deliver its pre configured ids. (UUID + Major + Minor). If you want to receive ads, you must have a Webservice that will get your beacon ids and return you the ad to display.
(If the ads never change, you can put them directly into your app without a webservice)
How you will show the ads in your app is completely open to you.
I don't really understand what you mean with real-time-info. There are beacons that also send you TLM. So you can get the temperature and the battery level of the beacon. I've never seen moving beacons or beacons that can transmit their speed.
Some useful links:
https://developer.apple.com/ibeacon/
https://xamoom.com/en/2016/07/ibeacon-for-developers/
Is it possible to get the amount of times an URL is received by a device from the proximity beacon API? I want to know what the click through ratio is of the broadcasted URL.
That depends. If you write your own app that scans for Eddystone-URL beacons and triggers some content (e.g., the web page itself) off of that, then naturally you're in full control and can implement this kind of analytics. Though it'll only apply to people which installed the app.
If you rely on Chrome for iOS, or the Physical Web iOS and Android apps to discover the Eddystone-URL beacons, then these apps do not provide any such numbers.
However, both Chrome for iOS and the Physical Web apps do fetch some metadata about the URL they detect, such as the page title and page description, without the user first clicking on the link. So there's a slim possibility that you could filter such requests out (they will be made by the Physical Web Service, or some similar "bot"), separate them from the actual visits, and do analytics based on that. Most likely however, this "bot," or the proxying service (which is there precisely to prevent this kind of tracking, and protect the user's privacy), will also do some caching, so you'll see fewer requests than the actual number of times the URL is received by the device.
And finally, dropping to a lower level, a note: most beacons are uni-directional, i.e., they broadcast information, but don't receive any information back, so beacons themselves usually can't count the number of packets on the receiving end. (I guess you could technically use the Bluetooth "scan response" mechanism to do that, but it would require custom beacon hardware/firmware.)
Unfortunately, no, it will not do this by itself.
Google's Proximity Beacon Api is a server-side system that stores metadata about beacons (location, battery level, etc) It requires you to add special client code integrated with your app to submit detection data.
Similarly, detecting Eddystone-URL beacons generally requires you to add custom code to your app to do the detections and and present the URL to the user. (The only exception to this is for some Chrome for iOS users with the Chrome Today widget enabled, and no public system provides click through rates.)
Since your app must present the URL itself you really have to roll your own solution to this problem.
If I understand right, you should be able to achieve this by Google analytics campaign. Setup a campaign, add campaign url to ibeacon url and you should be able to check the details analytics through Google analytics.