How do I do cross-platform reCAPTCHA in Xamarin Forms?
Thanks
There are 2 ways of creating your own captcha that I know about. The simple one doesn't require a server for verification. which is to show a number or an image and ask the user to recognize that image or text. The verification will happen locally so it's not dynamic but you can lock the system after several trials and apply a good RNG to limit the automation attacks.
The second type will require a web service to get the image or the random text from the server. When the user registers or log in or call the other service that you want to protect, send this value with it and validate it before processing the request to save traffic.
Related
We have a use case where we need to protect a login/sign up endpoint from bad actor. This endpoint is expensive for us, because we need to send a One Time Password (OTP) to the submitted number.
A few prevention already in place, such as:
IP rate limiting
Phone number prefix check. They usually call the endpoint with number in sequence.
Only enable "Resend" button in the mobile app after 60 seconds & gradually increase.
This bad actors still find a way to pass our check. We want to introduce captcha challenge on our mobile app. reCAPTCHA v3 looks promising since it does not sacrifice user experience on the app.
Our app is written in react native & need to support both iOS & Android. So we must integrate it to our app by calling WebView.
Is this captcha effective enough to detect BOT, since there is not much interaction in the web view?
I am testing an application which is configured with Microsoft AD MFA. Whenever i login into application with my user id and pwd, i receive a push notification in my mobile from microsoft authenticator application which states "Approve" or "Deny" request.
Here we need to find out solutions for these two below mentioned problems :-
how can we handle the push notification that we receive in mobile while login using JMeterenter image description here.
how to perform the load test execution with these 2MFA enabled by handling the push notification and token expiry.
Your test should focus on your application only any external dependencies must be excluded. You are not load testing Microsoft servers, are you?
So if your test is making requests to one of the "forbidden websites" most probably these requests need to be removed.
If for some reason it's not possible - ask around if it's possible to turn off Azure authentication.
If it's not possible - ask whether it's possible to turn off the 2nd factor.
If it's not possible - ask whether it's possible to switch it to something you can handle easily like OATH Software token
As the last resort you can use a browser automation framework like Appium for automating the approval process on your mobile device/simulator
I am following the tutorial located here: https://developer.xamarin.com/guides/xamarin-forms/cloud-services/authentication/oauth/
I got to the step titled: Presenting the Sign-In User Interface.
It says that, "When the Login method is invoked, the sign-in user interface is presented to the user in a tab from the device's web browser."
Now is this really the process when using Xamarin?
Because the other apps I've downloaded and played with don't open the browser and then open a new tab to give me a choice of which account to choose. Those apps pop up a small page on top of the app and allows me to select an account.
If this Xamarin process is different I am not going to use it when developing my app. Please clear this up for me thanks.
There is no such thing as as "Xamarin's way of oAuth".
oAuth is about authenticating users through 3rd parties like Google, Facebook, Twitter etc. There are different oAuth flows which are mostly used: the implicit grant and the authorisation code grant. For mobile apps the implicit flow is common because auth code flow involves the app keeping a secret which a mobile cannot really guarantee. For a great overview of these flows I can recommend this lecture from Xamarin.University.
These flows are the same no matter which underlying development stack you are using.
The documentation you are referring to is using a library to help using these flows: Xamarin.Auth. As a matter of fact you don't have to use this library at all. This library helps with storing tokens, sending requests that include the required tokens, detect endpoint redirects etc. Part of using this library is presenting the UI where the 3rd party vendors login form is shown.
This is what you do when calling:
var presenter = new Xamarin.Auth.Presenters.OAuthLoginPresenter();
presenter.Login(authenticator);
The actual implementation of presenting the UI is platform specific. On iOS the UI os shown modally if that's how you are coding it. If you change this code to show the UI as a small popup floating on top of existing content, you can of course do this. This is true for any given platform.
I am developing a user-generated content site. The goal is that users are rewarded if their content is viewed by a certain number of people. Whereas a user account is required to post content, an account is not required to view content.
I am currently developing the algorithm to count the number of valid views, and I am concerned about the possibility that users create bots to falsely increase their number of views. I would exclude views from the content generator’s IP, but I do not want to exclude valid views from other users with the same external IP address. The same external IP address could in fact account for a large amount of valid views in a college campus or corporate setting.
The site is implemented in python, and hosted on apache servers. The question is more theoretical in nature, as how can I establish whether or not traffic from the same IP is legitimate or not. I can’t find any content management systems that do this, and was just going to implement it myself.
You cannot reliably do this. Any method you create can be automated.
That said, you can raise the bar. For instance every page viewed can have a random number encoded into a piece of JavaScript that will submit an AJAX request. Any view where you have that corresponding AJAX request is probably a real browser, and is likely to be a real human since few bots handle JavaScript correctly. But absolutely nothing stops someone from having an automatic script to drive a real browser.
Well... you can make them login (through facebook or google id etc, if you don't want to create your own infrastructure). This way it is much easier to track ratings.
WP7 newbie here..
In my application, I am using embedded web browser control to load an external web page.
I have a PIN based validation step in that application, which involves
1) User Leaving the current application, (which has a external web page loaded in the embedded web browser) to launch the SMS Inbox.
2) User reads the SMS he just received, which has the PIN. I am sending this SMS to the user.
3) The User then needs to resume back to the original application by hitting back button, to enter the PIN which he received in the SMS earlier.
Once user enters Step2, my application will go into background, and subsequently will get tombstoned. Once user enter Step3, I want to restore application state (with the embedded web browser control), without making a fresh HTTP request again to load the web page.
So, with the given scenario in my mind, I have following two questions -
1) Is there a better way to do all this, like not having to exit the original application, and still let user read the SMS. ( i.e any api to read sms ?)
2) Is there a way to serialize the browser state/save entire web page (with images, css, js) , such that entire web page can be rendered exactly the way it was, when user left the running application.
Important points:
1) I can only use SMS as a communication channel. I can not use something like raw push notification channel, which could let me show PIN to the user, without exiting the application.
2) I am targeting Windows phone 7.0 runtime, but if there is a better option available in Windows Mango update, please do tell me.
Any sort of help is greatly appreciated.
Update:
Added link to the embedded web browser component.
1) There is no API that would let you access the contents of the Messaging hub from inside your application. This is set up for privacy purposes.
2) By default, the web browser saves its state. So if you navigate away from your app, and then come back - the same web page will still be there unless you explicitly re-navigate on activation
1) The better way to do this would be to not embed the web page within an app. Just build a mobile website. If all the functionality is within the web page you gain nothing but problems by trying to put it inside an app.
The web browser control is not intended to be used to create an alternative browser (which is really what you're doing).
2) You can try using the SaveToString() method to store the state of the page when tombstoned but this doesn't allow for modifications to the page since it was loaded (including anything dynamically updated or any state in javascript). If you have multiple pages you'll also need to maintain the internal backstack and the state of each page separately.
Short answer: If you want to put your application logic in a webBrowser control then you can't support tombstoning. Fast-App-Switching (in Mango) partially addresses this but not completely.