My current process to secure iOS app connected to web service is the following.
iOS Client credentials (public id + secret) to access web service are stored into CloudKit public database (available only for my app)
At first launch, my app is securely retrieving credentials from CloudKit
On change from CloudKit, my app is automatically notified and can update stored credentials
Credentials are securely stored in keychain.
Like this, there is no credentials on my source code.
With Android, I can securely store credentials once retrieved. But how can I retrieve API credentials without storing them in my source code?
Thanks. :-)
Related
I'm working on a mobile app that has both local database and AWS RDS. Data needs to be passed both ways so that user data can be backed up and updated data can be sent to the app. I set up an API to avoid putting database credentials in the app itself. The API triggers code hosted in the cloud to interact with the RDS.
As I understand, Android APK files can be easily hacked. I would like a solution for how to prevent someone from reverse engineering the app's API calls and getting private user data from the RDS. As it is currently, if someone knows how to format an API call they could access data belonging to any user.
You need an API Authorization mechanism. Normally APIs are protected with Authorization Token which is obtained by a successful login. When the user successfully logs in, you should issue the authorization token, Store in device shared preferences that need to be passed with further API calls. I suggest using JWT, simple and available in all major programming languages. Encode the user's unique identifier in JWT token and design your API such a way that the user can only create, read, update, delete based on the identity encoded in JWT. By this, suppose if user token is compromised, that token can be only used to misuse the user-specific data and not all the data in your database.
Consider the given flow for your reference.
When the user enters username and password into an mobile app( iOS ,Android or windows app)it calls a thirds party oAuth login web service which responds back with oAuth access token and refresh token. Now the app generates a JWT and signs with a Secret key stored in the app. This jwt is used for authentication on a set of In house APIs
In this context, is it safe to trust this AUTH model? Since in-general JwT are generated on the server side , so the integrity is maintained.
What are the pitfall of signing a jwt in mobile apps? Will the secret signing key stored in the apps ever gets compromised ?
Will the secret signing key stored in the apps ever get compromised?
Yes, the signing key can get compromised. This can be done by decompiling your app executable.
Instead of storing the token in a sqlite database or local file, you can make use of the secure storage that each of these platforms provide.
For iOS, you can simply use the Keychain, a secure storage intended for this purpose.
As for Android, a similar functionality is provided by the Keystore.
Using Firebase as DB for the app only.
I would like to use Firebase to store data that is global for all users. User authentication is not required to access those data.
So, all user's will be able to access same data. For example "news articles" are same for all users. Users don't need to authenticate to access the news.
How can I setup android application to access Firebase data securely for all users?
By "securely", I mean I don't want to bundle credentials to access the DB with the app. Otherwise, anybody can access the data and wipe it or corrupt it.
Based on quick investigation, I found there might be 2 ways:
Firebase REST API
Using Firebase REST API and service account token to access the Firebase data.
Firebase Auth
Use one of the auth schema. For example use email & password auth or custom auth with custom token.
I would assume both of them require me to bundle the secret password or token with the application.
Has anybody designed app with such use-case? Any pointers would be appreciated.
Firebase Authentication doesn't require any bundling of anything. Your users provide their own credentials. Google Play services on the device provides the security that only your app signed with your signing key may receive the token that authorizes the users to perform the actions on the data that you decide through security rules.
I need to create application (iPhone/android) that:
shows login screen with username/password fields
could create account with info provided by user (email confirmation)
connects to server with provided credentials to retrieve token
uses web api with provided token to store/retrieve data (but only his data, not other users data)
I am familiarized with client side programming. But I need a server that allows creation of account, login using https+basic auth (or some other mechanism), store client data and allow access to his data via web api (GET/POST/PUSH + token).
I could use FireBase but looks like it can't login user to obtain token, it needs another server to do so.
Ideas?
Found out that Parse allows to create API that could have:
users
data
security rules (data can be read/write only by it's user)
user login via WEB API + token
Hope it is usefull for someone.
I have an authentication server whose web interface directs users to Google's auth page, which then sends them back to the authentication server to validate the OpenID key-value pairs. On success, the auth server checks its database to see if there are any existing users with the Google identifier retrieved from validating the OpenID key-value pairs (such as https://www.google.com/accounts/o8/id?id=moo). It is this identifier that allows me to match the Google account to a user record in my database.
Next, I'd like to build an Android app which connects to my server via TCP (not HTTP/HTTPS this time) and uses a Google account linked to the device (asking the user to choose, if more than one) to convince the server that the Google account they have authenticated to has the OpenID identifier https://www.google.com/accounts/o8/id?id=moo (or whatever it is).
How could this be achieved?
Thanks in advance!