I'm not very used to oAuth or using SSL certificates and was just recently forced to look into it for put.io API access. oAuth seems complicated, some methods ever require the end user to fill out their credientials.
So I went to search for a ready made PHP lib that has the full put.io API implemented and noticed he used a method where not even the "application secret" or "client ID" was needed.
All I had to do was feed it my "Oauth Token" value and it connected with ssl vertifypeer and a cafile - StarFieldSecureCertificationAuthority.crt
Now the question I guess is what this certificate really does or proves, and if I can really use his - or if this is something I should generate myself for the target deployment server?
Suprisingly, Google didn't help much at all - and I have still no idea how this oAuth with a certificate works, why it works, and how I can make sure that it does work. Any pointers?
Presumption
I take it this is the "ready made PHP lib" you refer to? If you have a question on what some code does with some file, it's helpful to post a link to the code and even more helpful to post your breakdown of it. If you try to read the code, you'll get better Google terms, and clearer narrower more easily answered SO questions, that have a wider application for other future visitors: A question "What does some code do" is easier to answer and may be found by people in the future that search for the same function.
SSL certificates
It's hard to understand what some API code does with a certificate if we have no understanding of what certificates are for. So lets try to get ssl explained to us. If reading the explaining answer on security.stackexchange.com comes hard to you, youtube is the dyslexics best friend.
So now we know that certificates are used to confirm identity or, in other words, for authentication.
OAuth tokens
OAuth tokens are like car keys; a secret that grants access to a car. In your case the car is put.io (the Resource Server). Some cars have separate keys for starting it, opening the trunk and opening the glove compartment. Some tokens only grant access to some of all the Owners Resources.
Basic idea is here, that we shouldn't leave carkeys left in our care out in the open and we shouldn't stick them in just any car we see. Because it's pretty easy to make a device that looks like a car and reacts like a car, but in fact is a car key copier. Trust me, it's the next big thing after credit card skimming. So we need to confirm the identity of the car, before stick our keys in. We need to authenticate the car.
It's pretty easy to make a device that looks like put.io and reacts like put.io, but in fact is a man-in-the-middle that copies tokens. So we need to authenticate put.io before we send the precious token.
Authenticating put.io
That is where the SSL certificates come in. Without repeating what we learned from the SSL section, we know we should carefully check the authenticity of the server certificate we get from, what we believe is, put.io. We need to check if the signature on that certificate comes from an authority (a CA) we trust. To do that we need the certificate of the CA. Many operating systems and browsers come pre-packed with trusted CA certificates.
Just open https://put.io in your browser and look for the certificate. Often by (right) clicking some padlock icon and some click for more information. You'll see that it is issued by 'Starfield Technologies, Inc.'
Using StarFieldSecureCertificationAuthority.crt
Now in NativeEngine.php we see:
$context = stream_context_create($contextOptions);
The ssl options require either a cafile or a capath. The easiest way for the API maintainer to be cross-platform is supplying a cafile. OS package maintainers will likely patch this and exchange it with the capath to the CA files they supply in their OS.
Can you trust it?
Now if the API maintainer has created that crt himself, he can impersonate any server if you use it. Luckily, you can easily check the fingerprint and see if it corresponds with the one in your browser. You can export the one in your browser if it doesn't.
The OAuth token is what authenticates you against the put.io API. (As you can see in this example, where no additional CA certificate is used.)
The CA certificate and the VerifyPeer setting are there to protect the integrity of the connection between your application and put.io: The library uses it to verify that the server it connected to really is put.io's, before proceeding to submit the OAuth token. Your code should also work if you disable the verification; but then your application would be vulnerable to a MITM attack and an attacker could obtain your OAuth token – and would then have access to your put.io account. (The same technique is used in HTTPS. See this question at ISSE for further details on the verification process.)
Note that your solution works for now, but the put.io API documentation states that they might start to expire OAuth tokens in the future, so in the long term you should switch to a library which is able to obtain new tokens (there's a list in this question):
Although at this time we do not expire OAuth access tokens, you should be prepared for this possibility in the future. Also remember that a user may revoke access via the put.io settings page at any time. Using /authorize will ask the user to re-authenticate their identity and reauthorize your app while giving the user the option to login under a different account.
Related
If an app is interacting with server api over https using post method ( JSON objects ), then there is a danger of api endpoint getting exposed and anyone accessing the api.
Is there a way to make sure that api is called only from the designated app.
I did some research on the web and came to know of:
a. manual credential checking using POST method
b. using json web tokens ( jwt)
However my question is: both of these methods a) & b) would require some kind of username/passwd passing from client app to server ( everytime in a. and only once in b.). Now this username/passwd would need to be hardcoded in apk and it can be easily obtained by anyone by decompiling it. So then how are these methods secure?
I think you're misunderstanding how json web tokens or bearer tokens work. Why would a username and password ever need to be hardcoded? You'd supply the user with an interface that accepts a username and password.
In option a, you'd store these locally after the user supplied their credentials and clear it when they exit the application or log out. This would not be recommended as that's what tokens can be used for. Many frameworks already offer support for JWT out of the box.
If using a token, the user still supplies their username and password to authenticate, the server will return a valid authorization token. From that point forward the auth token is passed with each request.
I would somehow use TLS security ... with digital certificates ... to cryptographically secure the network access to the portal. The app would contain the necessary public certificate, possibly obfuscated, which the server could check to make sure that the access is legitimate. Now, no one can intercept the communications, and they can't spoof it without somehow first extracting the certificate information from the app, which is probably unlikely. Knowing that the supplicant does possess a copy of the necessary public key should be sufficient authentication.
Although we don't usually employ it when we use TLS to get to your friendly neighborhood https web-site, modules like mod_ssl do provide a complete TLS implementation including the ability to require and to verify a client-side security certificate, without possession of which the connection attempt will be refused. This might be an ideal situation for that.
I am using Objective-C to communicate with a PHP script, that works with an API. Although I do not wish for the script to be accessed by anyone else, than the actual iOS App on the users device. As some functions require admin permission, and is essential for the app.
Is there a way I could encrypt the link, so people won't be able to sniff the link? Or somehow limit access of the script.
Regards
Mads
Use https (SSL/TLS) and pin the certificate, that is about as secure as you can get. Even the query string is encrypted. Note that the entire URL including the query string is usually saved in the server log file.
This will require a CA signed certificate and they can be purchased for $50/year if you shop around. There are also several CAs that offer free certificates: Free SSL Certificates from a Free CA
First of all, a better question would be is this possible? My gut instinct is that it isn't entirely, but there may be some clever ways. Even if they just act as a deterrent, make it slightly harder for some one to hack, or even make it easier for me to detect suspicious activity.
Basically, I'm building a web service using PHP for my C#.NET program to connect to. Among other things, one of the most important purpose the web service serves is verifying license data. The program sends the licence key entered by the user to be checked, and if it is valid the web service will return the Name of the person who purchased the licence key so that the program knows to activate itself.
I am fully aware that there is no perfect anti-piracy scheme and that is my software will be cracked if people want it bad enough. However, I do not believe that there isn't anything I can do to make it very hard for people to crack my software.
I do have an SSL certificate so the program will be communicating with the web service using HTTPS, however that's the only security I have at the moment. I have thought about
Using long and obscure names so that the functions are hard to guess
Using MD5 to disguise the functions
Adding a username and password
Checking the User-Agent
etc.
However, I have read that there are applications available to simply extract strings from programs, which would render those measures completely ineffective. Still, I don't know how technical users have to be to use those applications. Is it still worth adding some of these measures to stop casual piracy? Which measures are the better ones and what will be the most effective?
Thanks in advance
You can distribute your C# application with a certificate bundled and sign your requests with the certificate. The server can then verify if the request was signed by your application and reject any other request.
Edit: Whoops, I only now understood that you want to secure you application even when in the hands of a malicious user. This, I don't think is possible. A hacker can decompile, scan the memory, read and decode files, etc and your certificate will be available in there if you distribute it with the application. An alternative would be to distribute an external security token (hardware device or flash storage) which will need to be plugged-in to the client computer. The token holds the certificate, keys or cyphers used to sign/encrypt your requests and it therefore doesn't stay with the application.
Your server-side SSL certificate will only guarantee that the communication channel is secure and the server is not lying about his identity. It doesn't guarantee anything about the client connecting. To also be sure that the client is identified, you need to use a form of client certificate that your server recognises.
I have an android app that needs to connect frequently to the server to retrive or add in the database sensible data. I needed to verify that the calls to the server where being made from the app so I used this approach: how to verify the identity of the client from the server? which consists in a hardcoded string key in the app that's verified in the server.
But then I realized that there were tools like dex2jar, that would reveal all my code (Even with some obfuscation from proguard) in particular this hardcoded key.
Is there any more elegant and safe way to verify that the server calls are being made from my app?
PS: I'm sorry for the English, clearly I'm not a native speaker.
If it's only your client and your server, you can (and should) use mutually-authenticated SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
Have found the following example of OAuth server
http://oauth.googlecode.com/svn/code/php/OAuth_TestServer.php
But it is unclear for me
1. How I should generate certificates
How I should specify access token/access token secret/request token/request token secret,
should they stored in database? Should it regenerated for each request? What else I should store in database?
Where should I implement the verification of Access token?
Please advice
To Generate Certificates, you need to create a CSR (Certificate Signing Request)
If you have access to cPanel, then you can generate a CSR easily. If you don't then you will need to download some software to generate a CSR.
After you have your CSR, you can head over to CACert for a free certificate. However, be warned: not all modern browsers trust CACert, so you might get warnings. If you don't want this, you will have to pay for a certificate from a professional provider, like VeriSign.