Best practise for placing order from Android app

We're integrating the java client of Kite SDK with our Android App. For placing any order on the platform we'll need an Access Token of the user.
For generating Access Token, we need request_token and api_secret. We are able to fetch request_token from redirected url after user logs in from the webview integrated in our app. But for generating Access Token we also need api_secret, according to Kite documentation,
For mobile and desktop applications, there has to be a remote backend which does the handshake on behalf of the mobile app and the api_secret should never be embedded in the app.
This means that Access Token will be generated at remote backend and sent back to the client. We feel this might make the Access Token susceptible to being exposed to network analyzer tools like Wireshark.

So, we wanted to know the best practices for execution of orders from within mobile apps or should the placing of order happen at backend?

@rakeshr could you please share your insight here.
  • tonystark

    Access Token susceptible to being exposed to network analyzer tools like Wireshark
    This is okay. Auth tokens of every application is visible to network analyzer tools. And that is the reason people use network analyzer tools, requests monitoring in browser dev tools etc. But there are safe guards in place to restrict bad actors getting the session access, like daily expiry of tokens, SSL/TLS to encrypt the transferred data, HTTPS certificates to verify the authenticity of the encryption, operating system permissions to block network monitoring etc. You should try Wireshark with your application and see how difficult it is to collect the auth data.

    All our apps, including Kite and Coin, use access tokens for authentication with Kite Connect. If you have a specific reason like, monitoring all the orders placed via your API key or disallow offsite order placements or custom API permissions, then you could keep access token in your backend and authenticate clients with your own session token. And backend can also handle the order placement. But semantically this session token becomes the new access token which is again visible to network analyzers.
Sign In or Register to comment.