0

I have built an Android app that is a simple WebView app. The purpose of the app is to simply display example.com and allow the users to interact with the website. After opening the app for the first time, the user is taken to example.com/login. This page is protected by Google's invisible reCaptcha.

My problem is that reCaptcha displays the challenge (e.g. click the storefronts, cars, etc.) approximately 70% of the time. This is an unacceptably frustrating first encounter with the app for my users.

I'm thinking that something about an Android WebView must seem especially suspicious to Google, resulting in the extra verification. But how can I maintain the security of my form against brute-force attacks while being less annoying to real people? Here are some options that came to mind:

  1. Implement reCaptcha for Android instead and remove reCaptcha from my login form. That is, only display that login form if the user successfully passes reCaptcha for Android. But this still seems dangerous to me, as some robots may "slip through the cracks" of reCaptcha for Android. Then, they could exploit my login form with a brute force attack. In addition, my login form is used by regular/desktop visitors as well, so some sort of form-level protection is needed.
  2. Use one of several reCaptcha competitors. I am skeptical about this, since their algorithms may still treat Android visitors with similar scrutiny.
  3. Build an initial layer of security into my login form using PHP before displaying reCaptcha. Here's what I'm thinking: I could create a mySQL table called failed_attempts. When a failed login attempt occurs, a record would be created with the current date/time and that user's I.P. address. If more than 3 failed login attempts have occurred for a given I.P address within the last 30 minutes, the user is required to use a reCaptcha protected login form for additional login attempts.
  4. A variation of option #3, except track the user's failed attempts via a browser cookie rather than IP address. I have read that brute force attacks may utilize multiple IP addresses, so relying on IP address may not be secure. Then again, cookies can be easily cleared or disabled, so I am even more doubtful of this method.

What is the best way forward? I would prefer to display an unprotected login form for users at first, then fall back to reCaptcha if multiple failed attempts occur. If this can not be done reliably or securely, I am interested in an equally secure but less annoying form of reCaptcha deployed in my web-based login form or within Android itself.

EDIT: Due to the casual nature of my site, traditional two-factor authentication via security questions or a five-digit SMS code would be excessive and equally frustrating for users.

jumpingmaniac
  • 107
  • 2
  • 13

2 Answers2

0

Upon researching this further, I think the best solution is to force recaptcha on my form if the site has experienced X number of failed login attempts site-wide (regardless of IP). For example, if 30 failed login attempts have occurred in the last 5 minutes, recaptcha would be forced for all users. Here is a helpful topic describing how this can be implemented in PHP: How can I throttle user login attempts in PHP

jumpingmaniac
  • 107
  • 2
  • 13
0

use 2FA instead of reCAPTCHA, on order to provide some meaning to login form.

because bots don't use Android apps, they use web-forms.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • Even if bots can't use Android, I think a malicious user could still execute a brute force attack using their Android device, right? – jumpingmaniac Oct 28 '18 at 02:15
  • @jumpingmaniac even when using UI automator ...the attack vector is so small, that it does not really exist. having a reCAPTCHA within an Android WebView is just is strange - while having the possibility to enable 2FA for login, chances brute-force would succeed are drastically reduced. unless writing banking software, there probably isn't much to get there ...except some email addresses. – Martin Zeitler Oct 28 '18 at 03:37