Prevent password theft

  • Last Post 11 April 2014
  • Topic Is Solved
Chris posted this 09 April 2014


I'm wondering about the password security in case of mobile apps. Knowing that the password is stored in the client code, what prevent someone to open the app archive, get my api password and use my password to submit his request and thus, use my quota?


Order By: Standard | Newest | Votes
Andrey Isaev posted this 10 April 2014

This is common problem for all client-server apps, one could use reverse engineering to replicate application behavior and be able access same infrastructure as application does. So we recommend to use same security measures as you would do in other cases - avoid storing password as plain text, add some cryptography, etc. This will not remove problem completely, but will make it more difficult and reduce the risk.

However, specifically for cases of mobile application that will be distributed to wide audience ABBYY developed different billing mechanism that addresses most of developer concerns including this one, by transferring large portion of risks from developer to ABBYY. It is in BETA now, and if you are not this program yet, I would recommend you to contact as and sign in.

Chris posted this 10 April 2014

Thanks for your answer @Andrey.

With that being said, I am thinking of a way to get an extra security and I was wondering if it's possible to initiate a task via my personnal app backend to get a ABBYY token and a task ID. Then send this token and task ID from my backend to my client. With this token and the task ID, the client upload directly the picture to ABBYY backend. With the same token, the client retrieve the result from ABBYY backend.

This allow me to have the ABBYY password on my backend instead of having it on the client, and also avoid having to upload the picture from the client to my backend, and then from my backend to the ABBYY backend, which would increase upload times.

I looked in the api doc, but I did not see a way to initiate a task without uploading a picture.

Andrey Isaev posted this 11 April 2014

The mechanism you described is not implemented at the moment and it is not possible at all to access service without application ID and password, regardless at the beginning of the task or later - both are requred.

However, as I said, there is another mechanism we call "mobile billing" that also includes separate tokens for each mobile instances, and makes sure that you will not burn your credits if some instance uses much more recognition than others. It is not published yet as it is in beta. I think it would be beneficial for you to contact us and take part in this beta program.

Chris posted this 11 April 2014

Sounds great. Thank you for your answers!