User story: I as a NextCloud user, want to use all NextCloud features on Android.
So downloading multiple apps is fine (and you got many: OCReader; Notes, NextCloud itself, …), installing them is fine, but afterwards we get some problems…
The problems
- User experience: Currently in all apps I saw have to re-enter my credentials. If I want to make it in a secure way I even have to recreate device passwords for each app (see 2.1 below)… That's cumbersome.
- Security:
2.1. Each apps stores passwords. The fact that you can (and should) use separate device/app passwords for all these apps mitigates the risk, but nevertheless the password storage may get a problem.
2.2. Another thing is the connection to the NextCloud server: Do all these apps verify HTTPS certs correctly? Do these apps honor HSTS? What about HPKP? What about SSLv3? What about insecure ciphers? Do all these apps have the option to distrust system certificates?
SSL (implementations) are a well-known and common issue on Android…
What I want to show is: Using multiple apps, which may be more or less maintained, which may be better in a security aspect or not, which may accidentally delete all your data and where each of them needs a login is (potentially) bad.
Even when all apps are open-source (which is not guaranteed as users might also use non-FLOSS apps) open-source does not equal to security. NextCloud should provide a secure platform, where third-parties can securely integrate their apps.
Possibly solutions
- As for the first issue, something is proposed thanks to @David-Development lib: Basically getting the user account from the saved one in Android accounts. However: This means the same password is used creating a potential security risk.
- or integrate all these third-party apps into the main NextCloud app. However: This requires much work, additional app permissions and will likely make the maintainers of the other apps sad.
My proposed solution
…is therefore to create an API as the title indicates. Allow apps to connect to the main NextCloud app, where they can request permissions etc. All traffic (and therefore the SSL/TLS things) would be handled by one app - NextCloud - where you can include all security features etc. You can more easily expand/change the NextCloud system, especially the authentication.
Examples
So how exactly could it be done? I've got two examples of other open source apps here:
- the way K9 mail integrates the OpenPGP provider. They show an authentication screen.
- the way DAVDroid integrates with Open Tasks (via custom Android permissions).
Related: https://github.com/nextcloud/android/issues/626 (DavDroid)
CCing other app devs: @schaal (ocreader), @stefan-niedermann (nextcloud-notes), @bitfireAT @devvv4ever (DAVDroid), @nerzhul (Nextcloud SMS App), @David-Development (News-Android-App)
Others, who might be interested: @jancborchardt
Any app I forgot? Please comment and I'll add the maintainer here.
rugk
All 12 comments
CCing @nerzhul (Nextcloud SMS App)
AndyScherzinger
on 16 Mar 2017
Also requested in https://github.com/schaal/ocreader/issues/45#issuecomment-287593441 by @schaal as "form of OAuth".
BTW other arguments for this thing:
- When e2e encryption is implemented this API eases the way for third-party apps, as they should not have to make much changes.
rugk
on 19 Mar 2017
Yup, it would indeed be awesome to fold the library of @David-Development into this main app so every other app can request permissions to the credentials and you have to then accept it in the Nextcloud app.
jancborchardt
on 29 Mar 2017
Can you read https://github.com/David-Development/ownCloud-Account-Importer/issues/3 and tell us if this fit your needs?
tobiasKaminsky
on 26 Jun 2017
Yeah, this looks good for the authentication part. However, in this issue I deliberately proposed a "bigger" API, whcih also covers the network connections. (see "problems 2.2.")
rugk
on 26 Jun 2017
Right now DAVdroid has the problem that latest Android throttles background services. Polling is not a good solution for mobile anyway. So the Nextcloud app should be able to notify other apps of events on the Nextcloud server (like changes in calendar etc).
awesome-manuel
on 4 May 2018
@awesome-manuel What do you mean exactly with "throttles background services"?
devvv4ever
on 4 May 2018
DAVdroid has to be whitelisted to be not affected by battery optimization: https://www.davdroid.com/faq/automatic-synchronization-is-not-run-as-expected/
awesome-manuel
on 4 May 2018
Ah, I see. However I wouldn't say it's a "DAVdroid problem", but just how things are working in Android: if you don't use Google's proprietary FCM services, you will be punished by battery saving. This happens for many apps, including DAVdroid, XMPP clients (Conversations, …), messengers (Threema), …
Of course CalDAV/CardDAV push would be cool, but even if an open standard would exist, implementing it would either require
- an open TCP/IP connection to the server, i.e. battery saving whitelisting and probably even more (permanent status notification), or
- usage of Google's proprietary FCM (which is not available on Google-free phones).
But I guess this is off-topic here… if somebody is interested in more information/discussion, please use the DAVdroid forum :)
devvv4ever
on 4 May 2018
Nextcloud already uses FCM for the sync and the talk app. But of course other apps cannot include the FCM API key, so one of the Nextcloud apps has to mediate the notification.
awesome-manuel
on 4 May 2018
There has been some development on the possibilities to implement a global authentication / secure networking problem for all apps. If you're interested, follow the discussion here: https://github.com/nextcloud/ownCloud-Account-Importer/issues/3
@jancborchardt @tobiasKaminsky @mario It would be great to see this feature in production sometime :D I'm still waiting for some feedback..
David-Development
on 5 May 2018
I am constantly keeping the PR up to dating hoping that @tobiasKaminsky will find the time to integrate and test it.
AndyScherzinger
on 5 May 2018
Related issues
Shagequi
·
3Comments
tobiasKaminsky
·
3Comments
JSoko
·
3Comments
Bugsbane
·
3Comments
rainer042
·
3Comments
Most helpful comment
I am constantly keeping the PR up to dating hoping that @tobiasKaminsky will find the time to integrate and test it.