I am looking for the best way, the most secure way to build Client-Server communication.
I have simple web site where I can login and sign up using well-known web secure implementation.
But I need to create standalone mobile client Android/iOS and make it possible to do the same (log in,sign up) from mobile client.
As far as mobile client will be native, not just mobile version of page. I need to create secure communication between client and server.
I have already implemented several projects using REST API with tokens over https, but it seems that there is better way to do this.
What is the most secure way to implement client server communication in this way.
Also in my case creating something like OAuth server doesn't make any sense because client communicating with server directly and I don't need to give some access to other apps like in OAuth.
Use web view but only for logging in and registering, of course on special mobile pages.
Just use https and REST API as I have done previously
Create some encrypted channel directly with TCP and sockets
I have no more IDEAS how to implement this, maybe someone can suggest how to do this or at least how this is done in apps like facebook, amazon, aliexpress .....
Thanks.
Related
I don't sure what is the best option to add a CSRF Token for my form's in the website and still using the same endpoints for my Android App :/
I can create new endpoints for android but i think that is not a good solution because someone can send a CSRF attack to the Mobile endpoints instead the web endpoints :/... so at the end that solution is the same of don't use Lusca at all.
What you think is the best, secure and correct way to add security to Rest API used by Mobile Applications and maybe others servers?
Thanks.
I have a scenario , where i need a Chat client for android and iOS and a XMPP server either setup privately or hosted. I need to call three APIs from mobile app (chat client) and from web based app.
1) Need API that can register a new user with XMPP server so in future if there is call from chat client to xmpp server, server can recognize it.(mobile app will call this api)
2) Need API that can create chat groups. (web based app will call this api)
3) Need API that can add user to chat groups and can create session for the user for particular chat group (mobile app will call this api)
Do i need to create above APIs as custom APIs in some existing XMPP server or i need to create my own xmpp server ?
Please suggest any good XMPP server which fulfill my requirement.
I am not sure how can i proceed with above requirement.
Note that i would need it in .net technology.
As server, you can use more or less what you want.
For sure Openfire and Ejabber are largly used and supports more or less all XMPP specs.
About API: you have 2 choices:
get "best" API for each platform, so do for each platform you
need it's own client (best as performance)
use a javascript API and wrap a HTML + JS client in your
declied-platform application.
This is the list of API:
https://xmpp.org/software/libraries.html
it's hard to suggest something particoular due to varius linceses.
As I know, Smack it's a very complete API and works with Android: it's not that easy to use, but Bubbler is (even if not all it's supported).
About js:
strophe.js supports chat and groupchat
About session: it's 75% Server and 25% API. Api just require connect and login, server will store the session.
About creation: Smack does, have to check for others API.
However write this kind of function it's not that hard (XMPP require a fixed template XML, just replicate this XML). Of course it's better to have something already cooked, tested and ready but a single functionality can be developed in short time.
I'm looking for a little top/level guidance. I don't expect a solution to the problems at hand. My goal is to create a native mobile application (not web) for iOS and Android. I want the content to be served from an in-house Microsoft Server, not a cloud based service like Azure. The mobile clients need to be able to login and make authorized read and write requests to the server. I figure I will return data as plain text and/or JSON. I'm debating using SQL Server or a NoSQL solution. I am also considering using something like ElasticSearch if I can't get speedy text searching working. The Microsoft topic has been somewhat confusing because I have never developed a Microsoft Web Application and most of the resources seem to assume a web based application or Azure hosting. So I was hoping for a little assurance I'm on the right track and hoping for a point in the direction to some resources that will help me on my way.
Microsoft Server. Not sure if I should be looking into ASP.NET MVC or ASP.NET WEB API, or something else entirely. If I use these frameworks, I can perform other async tasks on the machine right? For example, making additional calls to other web services to process requests.
Login: SSL for all connections. User sends username/password and system authentication. Server sends back token. With every request, client sends back token and server verifies token before processing request. Is this valid as long on a HTTPS connection? Just store the tokens in the server database and verify?
This application is not going to generate profit so an MBAAS is not really an option. It also is expected to handle roughly 2000 users and may need to scale to 10,000. Traffic would likely be concentrated as well. I know this is super broad, I just want a little direction to resources and big picture regarding Microsoft in this context.
If you're building an app that will communicate with a server, you probably want a Windows Service (SOAP) or a Web Service (REST) that it can communicate with.
You don't need ASP.NET MVC or WebAPI unless you're planning on creating a website (ASP.NET MVC) and communicating from said website using HTTP requests from the client side (WebAPI).
A Microsoft server hosting a Windows Service or Web Service should be fine. Yes, you can perform other requests from the server, even if you're hosting websites, a web service or Windows service on the same machine. Each HTTP request is a separate request that will be processed independently of one another.
Yes, you can secure the communications of between your web service and application quite easily using HTTPS/SSL. I'm not sure about just sending an identifier back and forth and that's it, this probably wouldn't be that secure. Maybe you can employ oAuth or a method that already exists. I believe that if you're creating you're own security system that you're probably doing it wrong - Leave it to people that specialise in those things.
I am new to mobile applications. I am basically from a web development platform. I am just playing around mobile frameworks like App Framework, LungoJS, Jquery Mobile, kendo etc to gain some knowledge in this vertical.
The app I am developing is still in UI level. All I need is to fetch data from the server and populate in my app.
I need some ideas to establish server communication between the smart device and the server. My questions are
What kind of server needed for mobile applications ? A cloud or a
regular web server is enough ?
What are the ways to connect the app with the server ? ( on cross
platform mobile development )
What is the secure way to communication with the server ?
What kind of server needed for mobile applications ? A cloud or a regular web server is enough ?
Because you are creating a hybrid mobile application you can use any type of server side technology, it doesn't matter is it a classic web server technology (using Java, PHP or .NET) or some kind of cloud technology like Parse.com.
You also don't need to create anything from scratch. Best course of action would be to use some kind of micro RESTFul framework(like PHP Falcon or Java Play Framework). Read more about them here.
But, there's always a but. You can't use server side technology for classic content generation, you only need to use it to send data to your hybrid application. I will explain this later.
There's also an alternative to RESTFul services, you can create a webservice, again using Java, PHP or .NET.
What are the ways to connect the app with the server ? ( on cross platform mobile development )
You would use AJAX as a technology (in case of RESTFul), rest depends on you. You would probably do it in JSON format (or JSONP if you are doing cross-domain calls, but you don't need to think about JSONP when creating a hybrid application).
If you intend to use a web service then you would use a SOAP connection and communicate via XML format.
No matter which server side technology you use you will always use AJAX on a client side.
Now let me tell you why you should not generate your content on server side. Basically nothing can prevent you from doing that, you can generate your complete page on web server and just show it in PhoneGap app, it would still be a hybrid app. But, if you try to put this app in Apple store you will get yourself rejected.
What is the secure way to communication with the server ?
Security of course depends on server side technology. Every framework has its own kind of security handling, but all of them relay on HTTPS so you should not worry too much.
From the client side you can always encrypt JSON/XML data and send them using POST.
Examples:
If you want to use jQuery Mobile then take a look at this tutorial. It will show you basics of client - server side communication.
Since you are new to mobile application, ill try to give short answers
1) What kind of server needed for mobile applications ? A cloud or a regular web server is enough ?
A regular web server is good.
2) What are the ways to connect the app with the server ?
via web-services
3) What is the secure way to communication with the server ?
Use HTTPS webservices (SOAP, REST), HTTPS secures the transmission.
Above is a basic explanation for your quick help, I would recommend you to go through the documentation, and review some sample codes
This will really help you Sample
Please go through this link it will surely help you
http://www.androidhive.info/2012/01/android-login-and-registration-with-php-mysql-and-sqlite/
Webserver,cloud anything is good for restful service
for security purpose you can use POST parameter to send and recieve data or if you want more security then you can encrypt and decrypt data through secure algorithm
What is the best solution to secure a REST service provider (assume a java servlet running on google appengine) by allowing requests only from iOS or Android device from a specific app?
Assume I have a servlet running on google appengine that does some processing and responds to a GET request with some JSON data. And I want to restrict this access to my app that runs on Android and iOS.
My current solutions are:
Use if(tokenValue ==
request.getHeader(tokenKey)) on the
appengine servlet. And
response.addHeader(tokenKey,
tokenValue) on the mobile apps'
code. So basically only my app would
know the token key.
Use HTTP(s) for the above solution, appengine supports this
Use oAuth - but I need to have the user sign-on to some oAuth provider from the app, which complicates the app
Suggest other useful approaches to tackle this problem. Assume this servlet only serves GET requests and maybe use Restlet or Jackson
Only 3 would be an appropriate solution if security is important to you. This is because anyone using the application can intercept the traffic and just replay the values against your web service. SSL offers some protection but a good attacker can work out how to capture data if they control the device. With OAuth the damage done by an attacker is limited to a single user (as long as they are not an app admin).
How about using a client SSL certificate? I haven't tried this, but I'm considering it. Here's a page that describes the approach, with some sample code:
http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html