I'm wondering about the password security in case of mobile apps. Knowing that the password is stored in the client code, what prevent someone to open the app archive, get my api password and use my password to submit his request and thus, use my quota?


asked 09 Apr '14, 20:53

Chris's gravatar image


This is common problem for all client-server apps, one could use reverse engineering to replicate application behavior and be able access same infrastructure as application does. So we recommend to use same security measures as you would do in other cases - avoid storing password as plain text, add some cryptography, etc. This will not remove problem completely, but will make it more difficult and reduce the risk.

However, specifically for cases of mobile application that will be distributed to wide audience ABBYY developed different billing mechanism that addresses most of developer concerns including this one, by transferring large portion of risks from developer to ABBYY. It is in BETA now, and if you are not this program yet, I would recommend you to contact as cloudocrsdk@abbyy.com and sign in.


answered 10 Apr '14, 10:50

Andrey%20Isaev's gravatar image

Andrey Isaev ♦♦

edited 10 Apr '14, 10:50

Thanks for your answer @Andrey.

With that being said, I am thinking of a way to get an extra security and I was wondering if it's possible to initiate a task via my personnal app backend to get a ABBYY token and a task ID. Then send this token and task ID from my backend to my client. With this token and the task ID, the client upload directly the picture to ABBYY backend. With the same token, the client retrieve the result from ABBYY backend.

This allow me to have the ABBYY password on my backend instead of having it on the client, and also avoid having to upload the picture from the client to my backend, and then from my backend to the ABBYY backend, which would increase upload times.

I looked in the api doc, but I did not see a way to initiate a task without uploading a picture.

(10 Apr '14, 20:33) Chris

The mechanism you described is not implemented at the moment and it is not possible at all to access service without application ID and password, regardless at the beginning of the task or later - both are requred.

However, as I said, there is another mechanism we call "mobile billing" that also includes separate tokens for each mobile instances, and makes sure that you will not burn your credits if some instance uses much more recognition than others. It is not published yet as it is in beta. I think it would be beneficial for you to contact us and take part in this beta program.

(11 Apr '14, 13:13) Andrey Isaev ♦♦

Sounds great. Thank you for your answers!

(11 Apr '14, 19:37) Chris
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 09 Apr '14, 20:53

Seen: 704 times

Last updated: 11 Apr '14, 19:37

© 2016 ABBYY. All rights Reserved. www.ABBYY.com | Privacy Policy | Legal