I am accessing Google Cloud API (Calendar, Sheets) resources from my php app by authenticating as a service account.
Is the communication made by google-api-php-client encrypted?
I want to know if my service account credentials are being transferred securely over https.
Thanks for your help!
I want to know if my service account credentials are being transferred securely over https.
https stands for Hypertext Transfer Protocol Secure. So yes, it is secure. https always involves SSL. As long as the SSL-Certificates are valid, (which they propably are), everythig is fine.
Related
my app api is captured with http carnary app which the hacker could access the api.
Is http request authorization could prevent it?
Basic xxxxxxx
I dont know where to ask. Been strugling for days without result.
Disable HTTP without TLS on your server, use certificate pinning on the client. The attacker will only be able to see requests (by reverse engineering or modifying the application). There is no way to be 100% secure in this case. If the user has network access he will be able to see the data. HTTPS and certificate pinning will be reasonable big obstacle for most attackers.
I want to enter from my web to another, which is located in another server and it has a login.
Until now, I am accessing to this web by apache reverse proxy and a harcorded credentials in my code, but it is not secure.
My idea is make it with some type of authentication token and I found JWT's, but I have absolutely forbidden to use OAuth in the project.
So, anyone could recommend me any solution without OAuth technology?
You can use JWT with a shared secret key in the signature in stead of OAuth.
I have web services made in PHP which gives response in JSON. I have used these services in one of my iOS app.
But when I use web debugging tool like fiddler it shows all the data passing to my web services. Either I used GET or POST method.
How to secure the communication between server and the client application? Also which kind of encryption should be used to secure the data and where it should be used like either on server side or client side?
I have seen some methods like ssl/https connectivity to secure data. But I don't know how to implement that in iOS?
To Secure web service data you many people follow below authentication procedures
Basic Authentication, Authentication with NSURLConnection sendAsynchronousRequest with completion handler
OAuth 2.0,
https://github.com/nxtbgthng/OAuth2Client
SSL and TLS Authentication procedures
http://www.techrepublic.com/blog/software-engineer/use-https-certificate-handling-to-protect-your-ios-app/
Before you implement in iOS ,your backend developer (in your case PHP Developer) need to implement in the backend side and provide necessary information to you
If you use https all data is encrypted except the URL address. Some diagnostic programs can show the unencrypted communication by setting up a proxy on the device, this and MITM attacks can be averted by pinning the certificate if you are connecting to a known https server.
I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
I want to avoid bots creating accounts on my server and consuming my resources.
Is there any way to acomplish this?
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
http://cloud.dzone.com/news/using-api-keys-effectively
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android (I'm not as familiar with how to do this on other mobile platforms), both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
I have JSON file on my server(on my website).My Iphone and Android app use this JSON.
I would like to hide or secure json files from another websites or app.
Is it possible ?
The most common way to do this it´s by using a Token that signs every WS call.
You can generate this Token in many ways, the most extended it´s by password username encryption.
Users in App sends USER/PASSWORD by SSL secured connection to the server.
Server validates USER/PASSWORD and sends back a token that will be used to sign every call made now on, so the user doesn't have to be sending every time the USER/PASSWORD info.
You can also check how to secure your web service following this SO link.
Best Practices for securing a REST API / web service
Hope it helps. :)