I'm publishing my first android app and I have doubts about security with the server.
I followed the tutorial to add security in the HTTP header using sha1, everything went well.
Tutorial
The problem is that the server has to know the password of the user, the client has to send it securely.
Do I have to configure the server with https for the first time the password is sent? should I always use https and forget about http headers?
Is there another secure alternative to https for secure password sending?
I am confused in these basic concepts ....
I need to introduce some security so that the url can not be used by others. It is not a user password, it is a unique string that I send to compare on the server and discard or accept future requests.
Thank you.
Do always use HTTPS: Narf
1 - add https to server (ubuntu 14.04, e2c Amazon), with a new unsigned certificate
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
2 - Connect to server from android whit unsigned certificate
https://developer.android.com/training/articles/security-ssl.html#SelfSigned
And resolve the authorization error:
OkHttp trusting certificate
The example of Google is fine, but an image is downloaded and we are interested in making a request, I have done so:
How to do an HTTPS POST from Android?
To add parameters to the request:
How to add parameters to HttpURLConnection using POST
Works for me
Related
Is there any way that I can create a proof of a file downloaded using https? With proof I mean a cryptographic record of some sort that links the contents of a file to a site at a certain time. If I understand TLS correctly, the server certificate is only used as a basis to establish a session key that is known to both parties, so each request is not signed but just encrypted for transfer. Any ideas if this can be done and if so how?
In HTTPS the certificate is only used for authentication and with the obsolete RSA key exchange also for key exchange. Application data are only protected against modification by some man in the middle but they are not signed by the sender. While a HTTP server could be explicitly implemented to sign and timestamp the content, one can not enforce such operation against an arbitrary existing server.
For more see
Where in a TLS connection can I get the signature of the content sent by the server?
Why does HTTPS not support non-repudiation?
How to prove some server sent some file over HTTPS
Proving authenticity of data accessed over TLS by an untrusted third party
I have JSON file on my server(on my website).My Iphone and Android app use this JSON.
I would like to hide or secure json files from another websites or app.
Is it possible ?
The most common way to do this it´s by using a Token that signs every WS call.
You can generate this Token in many ways, the most extended it´s by password username encryption.
Users in App sends USER/PASSWORD by SSL secured connection to the server.
Server validates USER/PASSWORD and sends back a token that will be used to sign every call made now on, so the user doesn't have to be sending every time the USER/PASSWORD info.
You can also check how to secure your web service following this SO link.
Best Practices for securing a REST API / web service
Hope it helps. :)
I have a HTTP REST API in PHP used by an iPhone application.
Some webservices from this API are secured with a user authentication in the HTTP request credentials but I want to avoid "man in the middle" attacks by providing fully encrypted requests data.
I'm not really skilled in security issues and I couldn't find any clear answer to my question anywhere :
Is HTTPS relevant for STATELESS REST API ?
From what I understood, HTTPS does 2 things :
encrypt your session
prove to the client that the server he is talking to is secured
So at first sight it does not respond to my need which is to encrypt the data between my server and the application because the API does not use sessions. But I still have doubts.
Can someone make it clear to me ?
My other solution would by to encrypt requests data with public/private keys system. Would it be more suitable ?
Thank you !
Yes, it is. HTTPS has nothing to do with the application, it's a tunneling protocol. Even though TLS is itself a stateful protocol, the HTTP part going over it is not.
Just like if you were using a VPN, you can still have a REST based application. The TLS just sets up and tears down the tunnel automatically for each connection.
That said, there's value in leveraging the pipelining aspects of HTTP and HTTPS to improve throughput over TLS connections, but that's a performance tuning aspect unrelated to the application itself.
HTTPS is very relevant, and yes, that's because of the two points you mentioned. Did you know that OAuth 2 actually enforces HTTPS?
Doing all the encryption yourself could be an option as well, but you lose the part where the API is easy to use.
Most man-in-the-middle attacks on "simple" HTTP requests involve stealing credentials and faking requests, but they can also read the data sent and received. If your issue is with the data being unreadable, use HTTPS. If fake requests are the only problem, an authentication protocol such as OAuth 1 (not 2) would suffice.
If you do not want to implement SSL you may want to check out http://www.jcryption.org/ I don't know if it will work in a stateless environment, but may be worth a try. It is basically a jquery plugin that handles creating key pair associations for data being transmitted. May only be for form submission though. We used to use it to encrypt login credentials at my old company.
Definitely use, HTTPS if the data is sensitive - it encrypts at the transport layer which is what you are looking for. As already pointed out oAuth 2.0 mandates it essentially. You can potentially avoid man in the middle by using hashing/signing as in oAuth 1.0 and avoid having to use SSL but the body still goes in the clear then (you've avoided sending the API credentials in the clear but not the body).
I want to write a hacking protected web services for PHP. Can anyone give me a example how to write that? How to send the authentication headers and how to manage it in the web service?
Many Thanks,
Naveed
First. Never write your own authentication.
Second. Save yourself the pain and serve your service up using https. It opens a lot more options for authentication that are both simple and secure. OAuth 2, Client Side SSL Certificates and even plain old Basic HTTP authentication are options if you are enforcing https. Even if you're doing your own token passing, you'll probably want to do so over SSL.
If https isn't an option, you can consider earlier versions of OAuth that don't require SSL.
Personally, I use a web service to authenticate the user. This web service return the token (a randomized string).
Then the user can call other web services with their specific arguments + the token.
If the token is not valid / expired / ... => I return a message to authenticate
else I return what should be returned :)
Hope this help...
There's a payment server. I can successfully send data via cURL and set appropriate key and certificate and payment server successfully answers. But now I need to make a redirect to that server so that client can enter credit card data. How can I make that redirect?
Is there a possibility to add key/certificate as a part of headers in function header("Location: https://...."); ?
Even if you could send the certificate along with the redirect, the browser still has to verify it. But you can't. It's impossible. You have to send a regular redirect. Because it's a https address, the browser will first request the certificate from the target host and verify it (including necessary user intervention). The outcome is the same.
There is no way to circumvent the popup dialog requesting the user to accept/trust or deny the certificate. HTTPS is designed to ensure "reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted." (Quote from Wikipedia)
Unless the provider has a very weird setup, I don't think you can. There are two clients cpnnecting to the server - first your PHP code which is using the client certificate, then you expect a browser somewhere to be able to bind to the same session without the client certificate? The only way this would make any sense is if the payment provider sends back a surrogate authentication token - and if they did that they'd provide detailled documentation. Obviously that is not the case.
While you could proxy the data on your server, I'd strongly recommend you switch to a different payment provider which handles the entire payment process for you.