Hi,
I'm wondering about the password security in case of mobile apps. Knowing that the password is stored in the client code, what prevent someone to open the app archive, get my api password and use my password to submit his request and thus, use my quota?
Thanks
This is common problem for all client-server apps, one could use reverse engineering to replicate application behavior and be able access same infrastructure as application does. So we recommend to use same security measures as you would do in other cases - avoid storing password as plain text, add some cryptography, etc. This will not remove problem completely, but will make it more difficult and reduce the risk.
However, specifically for cases of mobile application that will be distributed to wide audience ABBYY developed different billing mechanism that addresses most of developer concerns including this one, by transferring large portion of risks from developer to ABBYY. It is in BETA now, and if you are not this program yet, I would recommend you to contact as cloudocrsdk@abbyy.com and sign in.
Thanks for your answer @Andrey.
With that being said, I am thinking of a way to get an extra security and I was wondering if it's possible to initiate a task via my personnal app backend to get a ABBYY token and a task ID. Then send this token and task ID from my backend to my client. With this token and the task ID, the client upload directly the picture to ABBYY backend. With the same token, the client retrieve the result from ABBYY backend.
This allow me to have the ABBYY password on my backend instead of having it on the client, and also avoid having to upload the picture from the client to my backend, and then from my backend to the ABBYY backend, which would increase upload times.
I looked in the api doc, but I did not see a way to initiate a task without uploading a picture.
The mechanism you described is not implemented at the moment and it is not possible at all to access service without application ID and password, regardless at the beginning of the task or later - both are requred.
However, as I said, there is another mechanism we call "mobile billing" that also includes separate tokens for each mobile instances, and makes sure that you will not burn your credits if some instance uses much more recognition than others. It is not published yet as it is in beta. I think it would be beneficial for you to contact us and take part in this beta program.
Sounds great. Thank you for your answers!
2162 questions, 6666 answers.
ABBYY Cloud OCR SDK provides world-leading accuracy of text recognition with no IT costs. Sign up for a free trial now or take a quick product tour.
Sans1954
1
