Authentication/Authorization of Tracker event streams


#1

How are we supposed to secure the Collector? I have my android tracker and it is streaming events into my Scala collector. There’s the option of choosing HTTPS but, how do I validate the requests that are coming?
Is there a way to setup http basic authentication(using clientid/secret) or JWT token based authentication? If yes how should I go about it and is it good idea or not?
I want to make sure that I am getting requests only from my partner apps.


#2

Hey @shailesh17mar - it’s an interesting one. Can I ask - what is the exact problem you are trying to solve? Is it a bad actor inspecting your Android apps to find the endpoint and then sending fake data? Or something else?

Of course any secret you embed into the app will be visible by a bad actor as well - but perhaps there’s another approach I am missing?

Edit I forgot we have a ticket to brainstorm ideas for this too: Placeholder for Verified Events #1139


#3

Yeah, I am trying to solve Bad actor inspecting my android app or somehow if anyone got hold of the end point then is there any way to secure it?


#4

Do your users have to authenticate into your Android apps, or can they use them anonymously?


#5

They can use it anonymously as well.


#6

I’m also interested in this.

For client-side apps sending data about user interactions, I’m not particularly concerned about authenticating the incoming events. However it would be nice if there was a way to ensure that only authenticated server-side applications could send events to the collector.

Maybe there could be basic authentication based on the app id or something.

I suppose it’d be possible currently by inspecting the request with another service before it hits the collector. However then that service would have to be scaled independently.


#7

Hey @bryce - thanks for bubbling this thread up again! We are working on an RFC for Authenticated Events - hope to publish this soon…


#8

Hi Alex - great news !!