I am trying to create a simple minimal session management kind of system in Google Endpoints.
I authenticate users on my Android app. For making authenticated Endpoint API calls, I plan to verify the user only once on the Endpoint server by passing the idToken in the first call to Endpoints API from Android app.
I would, then, assign a session_id (say a number) to that user. This session_id would be communicated back to that Android app. The Cloud Endpoint server would not verify the user for the next 24 hours.
When an Android app calls an endpoints API with that session_id, I would perform the required operations assuming it to be from the authenticated user.
CONCERNS
If anyone sniffs the session_id, he would be able to perform operations of an authenticated user.
Q 1
Is it secure ( and correct way) to pass sensitive data (like session_id) to Google Cloud Endpoints from Android app ?
Q 2 Is all communication between Android app and Cloud Endpoints done via HTTPS by default even though I do not have HTTPS enabled for my website ? Official doc says :
Important: Google Cloud Endpoints requires SSL. If you need to access your backend API in a system not supporting SSL, you'll need to either update the system to support SSL or use a proxy.
Another Official doc says:
In both method decorators, we supply the path to specify a location at which the method serves requests. The value specified is appended to the API path, for example, if the value hellogreeting is specified, the path is https://your-app-id.appspot.com/_ah/api/helloworld/v1/hellogreeting. For greetings.getGreeting, the path is hellogreeting/{id} where {id} is required or else your API method won't receive the incoming request argument.
NOTE: I do not have SSL (HTTPS) enabled for my website. I use GAE Python on web and Android/Java. I have website and an Android app which I am migrating from Google authentication to Google Identity Toolkit based multiple provider authentication (like Facebook, Google, others).
