trying to build an Android and Web client that has Parse.com as a backend. User has to be authenticated first to log into the app. If someone gets hold of the Application keys, client keys etc. he can access the app without the authentication with Rest calls. How can this be avoided to restrict the Parse Query to return results ONLY with a user session? Looking for that security measure.
All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody.
Parse lets you control the data read permissions ONLY via Class Level Permissions(CLPs) and Access Control Lists(ACLs). If you think these solutions cannot give you the security measures you are looking to implement, you have to disable the public read access to your data completely and implement your own Cloud Functions to retrieve the data from server. This way, you can test the user credentials, permissions, etc before returning any data.
Related
Since I want to fetch data without authentication for my app, my security rules look like this:
{
"rules": {
".read": true,
".write": false
}
}
But Firebase said if someone has this URL he can fetch my data. How could I save my data. My app doesn't require authentication. How could I resist other, or what configuration I can set so only my app can fetch it.
In simple words,
No one should allow to fetch my app data(firestore) without my app. Where my app doesn't require authentication.
What you're asking for isn't possible. These things are all exactly the same:
Accessing data via client SDK without authentication
Accessing data with the REST API without an authentication token
Accessing data in any way without using the app itself
If you want to restrict data to your app only, you will need some form of authentication provided by Firebase Authentication.
You have to use firebase Anonymous Authentication, This authentication doesn't require user input like email, password, SSO, etc. You can just set the code inside a button to Get Started, So firebase will automatically create a userID for each user.
I am learning how to build android apps. I'm building my first app using PHP and Java, i'm passing the values from Java to PHP using parameters.
localhost/myfile.php?id=GET ID FROM JAVA EDITBOX&name=GET NAME FROM JAVA EDITBOX
I'm inserting and updating using this method.
But i'm afraid about my app security, how can i hide my links? I would like to insert some security technics to prevent a common user from having the access to my links, and insert random data into my database.
I'm sorry about that noob question, but i would like to read more about that.
how can i hide my links
No way because APK file can be de-compiled
I would like to insert some security technics to prevent a common user
from having the access to my links, and insert random data into my
database.
You are allowing Un-authenticated users to insert the records??? If you are doing this, you are doing it wrong (I think)
You should allow Authenticated Users to Insert/Delete/Update records and
Un-authenticated users can Load data only.
Some Security Practices:
Authentication (Login) / Authorization (Permission)
Don't trust any data sent from client --> Data Validation at Server side is required
Use Asymmetric encryption - Public/Private key
Encrypt your data at client side using Public key
Decrypt the data at Server side using Private key
Apply Digital Signature OR MAC (Message Authentication Code) to make sure your data is Integrity & Authentication
Https used
Which of the following ways is better to allow user to login once and avoid logging in again on next app launch?
1) Store just UserID and then just every time fetch data from server and load profile? (Problem: userID can be manipulated in SharedPreferences so user can easily hijack other users identity)
2) Store username and password in SharedPreferences then just auth user on every app launch and get users data from server? (Is this safe enough? )
3) On first login from device - store deviceID in online database and store userID in SharedPreferences, then on every app launch compare deviceID's and if matches = Fetch data and login automatically or if not matching = request login again?
Is there any better way perhaps? I would like to avoid using SQLite as for my app I have no need for database, my app is online MySQL database related and it's constantly communicating with it rather than having local database.
You could also send back a large meaningless id (such as a GUID) from the server on login. The server would store it in a list of valid login credentials. Store it on the phone also and send it back to the server for authentication. There would be no way to forge an id since it cannot be derived from any other information, and the chances of guessing one would be miniscule.
1) and 2) should never be done as it compromises on the security and any one with read/write privileges can easily view the sensitive information.
3) could work but not with the device id since that can also be manipulated on rooting. I would suggest you use the userid+password+deviceid to generate a hash and store that in your database. Consequently whenever you make any calls to your server use this hash to authenticate the user.
About fetching the data you need not do it every time. If the data is not very sensitive you can store it in your shared preferences and use it to reduce the network calls. You can use this to show the screen which opens on first time usage and consequently fetch additional data by making a network request. It would also not interfere with the user experience
I would like to start using Parse.com to build a new application. I read the good documentation on their site but I am afraid there is something I might be missing out.
I understand that I can add DB data from the application. Assume I want to save some "note" to DB from my Android application - As I can see I am calling from the Android SDK a method that saves it into my DB:
String data = txtnote.getText().toString(); // read the note from the view
ParseObject note = new ParseObject("Notes"); // saves to notes DB
note.put(USER_NAME_KEY, username);
note.put("note", data);
note.saveInBackground(new SaveCallback()
{
#Override
public void done(ParseException e)
{
// DO SOMETHING
}
});
I am wondering whether this code is safe? It seems that if someone tries to reverse engineer my code he can actually see some information about my parse account (when I initialize the application I use APP_ID and CLIENT_KEY). If I compare it to using a REST API installed on some server then I only send the data I want to store with the authentication key for the user?
Am I missing anything? Is there a way to completely make some king of REST API on parse.com using the cloud code? without only the need to to some operations before save?
I will appreciate your answers and if you can direct me somewhere I can learn more.
APP_ID and CLIENT_KEY are just used for making a connection to parse servers, not authorization to modify your data. MASTER_KEY is the crucial and important one, and you will not have that plain in your apk, so nobody can reverse engineer your apk for it. Please see this notes on connection between client and server on parse doc site.
Yes, certainly you should move data sensitive operations to cloud code, and only do not-so-sensitive ops in your clients/apps. See this notes on implementing business logic and security related ops in cloud code using the MASTER_KEY.
Additionally, you should consider taking advantage of Class level and object level (ACL) restrictions and access permissions. When you create your data model, make sure to carefully configure their access levels.
I'm a web developer who is moving into creating mobile (iOS/Android) applications.
As such, what I'm trying to understand is how should I architect the mobile application to access (post/update/delete) data stored on a central server.
For illustration purposes, let's say I am creating a mobile Recipe application (named "MyRecipeApp"). Some recipes I want to share with other recipe users of MyRecipeApp, and some recipes I want to keep private to myself.
In order to share recipes, all recipes (both private and sharable) are stored on a centralized (server) database and the MyRecipeApp accesses that database to fetch that information.
As such, I have a few questions:
With MyRecipeApp, how do I access the database? Do I make my database publicly accessible to that MyRecipeApp can talk to the database? If so, that seems insecure.
Do I hard-code SQL into MyRecipeApp (e.g. SELECT * FROM RECIPES WHERE USER = "John Smith") to access the database to fetch recipes? If so, that seems insecure in the sense that someone could just hack my mobile app and change the SQL to fetch any information.
Do you send the users username/password with each fetch to the database? If so, how are you encrypting the traffic between the database and MyRecipeApp.
What else am I not thinking about in how I should be architecting a mobile application?
Connect through an API (perhaps restful HTTP API).
Don't hard code SQL. Instead, make API calls, passing parameters.
Yes, send authentication information with every request and use HTTPS, or send username and password on first request only and get a session token and use that on subsequent requests, but still use HTTPS.
Consider sending and receiving data in JSON format.