I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
I want to avoid bots creating accounts on my server and consuming my resources.
Is there any way to acomplish this?
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
http://cloud.dzone.com/news/using-api-keys-effectively
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android (I'm not as familiar with how to do this on other mobile platforms), both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
Related
I have a plan to develop an online file manager application to manage(add/edit/update/copy/delete) my client's(My business clients) server files. Instead of using Filezila or any such FTP applications. Because there is no such options to track the file changes history in those applications.
My idea is
Placing an agent file in production server (http://example-client-site.com/file-manager-api.php)
Call the agent file (file-manager-api.php) from my project management system, which is hosted online. (http://example-proj-mgmt.com)
So i can access the production server files from my project management system like REST API , without connecting through FTP.
My question is, what are the security issues in the way of access the server through URL REST API method ?
Please give me some idea to overcome the security issues.
Thanks in advance :)
The Concept is good, I only have concerned with security. What you can do is you can keep something like Token or Authorization key or such, where only authorized users can access it, as the concerned is REST API.
Authorization (Tokn key)
Protect Against Cross-site Request Forgery
Insecure Direct Object References
URL Validations
Secure Parsing & Strong Typing
Validate Incoming Content-types
JSON Encoding
Message Integrity
I have web services made in PHP which gives response in JSON. I have used these services in one of my iOS app.
But when I use web debugging tool like fiddler it shows all the data passing to my web services. Either I used GET or POST method.
How to secure the communication between server and the client application? Also which kind of encryption should be used to secure the data and where it should be used like either on server side or client side?
I have seen some methods like ssl/https connectivity to secure data. But I don't know how to implement that in iOS?
To Secure web service data you many people follow below authentication procedures
Basic Authentication, Authentication with NSURLConnection sendAsynchronousRequest with completion handler
OAuth 2.0,
https://github.com/nxtbgthng/OAuth2Client
SSL and TLS Authentication procedures
http://www.techrepublic.com/blog/software-engineer/use-https-certificate-handling-to-protect-your-ios-app/
Before you implement in iOS ,your backend developer (in your case PHP Developer) need to implement in the backend side and provide necessary information to you
If you use https all data is encrypted except the URL address. Some diagnostic programs can show the unencrypted communication by setting up a proxy on the device, this and MITM attacks can be averted by pinning the certificate if you are connecting to a known https server.
I have an android app that needs to connect frequently to the server to retrive or add in the database sensible data. I needed to verify that the calls to the server where being made from the app so I used this approach: how to verify the identity of the client from the server? which consists in a hardcoded string key in the app that's verified in the server.
But then I realized that there were tools like dex2jar, that would reveal all my code (Even with some obfuscation from proguard) in particular this hardcoded key.
Is there any more elegant and safe way to verify that the server calls are being made from my app?
PS: I'm sorry for the English, clearly I'm not a native speaker.
If it's only your client and your server, you can (and should) use mutually-authenticated SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
I am new to the whole encryption world, and I wish to build a Mac application which interacts with a PHP application in order to access and manipulate data remotely.
My problem is that I can't just transfer plain data over the internet, as most of the data being transfered can be very private, as well as username and password are passed for authentication of the user.
I would like to know what kind of encryption/decryption methods I need to use in order the data will be transfered safely over the internet.
Shillo.
The easiest thing to use is SSL with HTTPS. This is well supported by just about any system and HTTP library. No additional encryption is typically necessary.
To do this, you simply need to purchase an SSL certificate and install it on your web server. You can generate one on your own for free, but a certificate authenticated by a 3rd party is often preferred.
I have a web application that I would like to allow persistent access to that is not dependent on the browser cookie system.
Is there something that will allow me to, upon the first user authentication, send the browser a certificate which the app can check for periodically or upon future returns to the site? Maybe some take on an SSL?
I would prefer some sort of PHP/JS solution but I could entertain other options as well. I can also dictate the browser that the user will use so a solution doesn't need to be browser specific.
Thanks,
I believe what you are looking for is PersistJS, a client-side JavaScript persistent storage library. It does not require the use of cookies.
If you need actual certificates, you should research the TLS protocol. TLS is the successor to SSL and support bilateral authentication (client certificates).
You may want to check out the opensource Forge project. It implements TLS in JavaScript and you can do neat things like store client-side certificates in local storage and use them for authentication when appropriate.
http://github.com/digitalbazaar/forge/blob/master/README
Something similar to what you may be trying to do is the WebID project. These two sites show a demonstration of WebID (which involves storing a client-side certificate locally and then using it to authenticate on another website). They use Forge:
https://webid.digitalbazaar.com/manage/
https://payswarm.com/webid-demo/
Since these sites are for demonstration purposes only, you will need to accept their self-signed SSL certificates to view them. No real personal information is required to try out the demos.