I am new to backend development and security. I have a LAMP stack setup on AWS and have a Android application with can POST and GET messages to this server. I want to now make the server more secure.
Currently I have no security in place and have no idea where to start. I tried implementing SSL with Apache but didn't have much luck.
Any links to tutorials or reading or any other help will be appreciated.
The first place to get started would be to ensure you are following the best practices for AWS: https://aws.amazon.com/articles/1233
Besides those on the list, setting up your firewall rules as tightly as possible, running something like fail2ban to prevent constant login attempts, running Apache in a chroot jail, and other things like that are all good places to start. Security is a never-ending process.
Setting up SSL (TLS) for your web service is an excellent idea and will prevent anybody from snooping the data going between your app users and your service. Getting SSL up and running can be a bit daunting your first time, but I would suggest starting with the Apache documentation http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html and talking with the representative at the company you purchased your SSL certification to explain everything they provide you. If you don't understand the basics of TLS, the Wikipedia article isn't a bad place to get a nice overview.
Related
How safe is it to use OkHttp3 for your REST API?
For example, if my website has some login/signup process, and my app sends requests with OkHttp3 client. How much can I trust that someone can't take his phone, plug it into Android Studio and look into the logs and find the links for all the requests I'm calling?
There's also the matter of decompiling the app, and easily accessing the base Uri I'm using in my app.
I'm not sure how OkHttp works, so can someone tell me about the security used in the client and how much I can trust it?
If a link is on the internet, then it's public. There is no point trying to hide that fact.
You need to focus on the securing the endpoint(s) the app is talking to for confidentiality, integrity and availability
You need to read up on Web security. Take a look at the OWASP Top 10 and related guides.
Why are you worried about your URL address? Whenever you expose an API on the internet anyone can find your API URL address. There are easier ways than reading logs of your app.
What is your exact worry? What do you need to keep secure? What is important for you?
I've read through the docs on https://developers.braintreepayments.com and I'm having trouble understanding what to do.
As I understand it, we must build a server to generate a client token which Android Studio then deals with. What I don't understand is how to build the server to generate a client token with each request, along with generating customers and updating customers.
I'm relatively familiar with Ruby, and I know that Sinatra is a good way to host servers with Ruby knowledge.. but can anyone lend some sort of clarity on what are the steps to going from no server to accepting credit card details?
Another confusing aspect is that some blogs say that using Braintree is as easy as copy/pasting a few lines in Studio, and others say that you have to build your own server. Anyway, please let me know your thoughts!
I'm a developer at Braintree. Braintree does require that merchants have a server set up, in order to maintain secure communications with Braintree servers (i.e., if you were to store your API credentials on the client side, attackers could access this information and process transactions on your behalf).
We do offer a guide for getting your server configured to communicate with Braintree, but it does not cover all aspects of server setup.
Some users complained about network issues.
Our android app communicates to our server through https.
Our Apache logs showed responses with the status; "405 Method not allowed (CONNECT)", this problem was only reproduced on specific IP addresses.
I don't understand why the android app is trying to reach the server with a CONNECT method, I never use this method in the app, I use only GET, POST or PUT.
It seems a proxy may be involved in that problem, but I have no idea how to solve it. Does anyone know ?
Looking at the wiki for http connect
A variation of HTTP tunneling when behind an HTTP Proxy Server is to
use the "CONNECT" HTTP method.[1][2]
Not to point out the obvious, but enabling the connect method in Apache seams like the answer. Easier than asking the customers to remove their proxy servers.
You need to provide support for the CONNECT HTTP method, which is commonly used to tunnel SSL requests through proxy servers. Thats why you are receiving them, some users are behind a proxy.
In Apache, to enable handling CONNECT requests, mod_proxy and mod_proxy_connect have to be present in the server.
The problem is that you need to secure your server, which will probably defeat the purpose of you app.
DON'T enable mod_proxy and mod_proxy_connect if you have not secured your server.
I cannot provide a turn-key solution, as half the battle here is in the source tree for your supported Android application, as well as a combination of variables pertaining to your employer's infrastructure policies. You have three big questions to answer, and should conceptually do this for every problem brought to you as the Apache administrator:
When were the "problem" clients last able to connect without issue?
What changed between then and now, and when did it change?
Do CONNECT messages correlate 1:1 with clients reporting errors?
Questions one and two are priority, but should not be discussed in depth on a public forum like this. Changes made to your public or private configurations, applications, etc., are often considered the intellectual property of your employer. Use caution if you discuss that here or anywhere. If you find that changes were made, even "harmless" changes, discover their correlation to the customer issue and implement regression testing where applicable.
Question number three is what I will discuss. Based on the messages I've read above, it is not confirmed that CONNECT correlates to every customer issue. It seems as though some customers reported issues, and you looked at logs for symptoms of a problem. The CONNECT errors look like a problem, and based on some of the Android app spec you've shared, they might be the problem. However, they might also be "log noise" generated by someone scanning your server for vulnerable modules.
If you have not yet proven the correlation of CONNECT to customer error, try using the <If> directive and logging additional data about clients who issue CONNECT statements. As a generic example:
<If "%{REQUEST_METHOD} == CONNECT">
... some extra log format fields to get ALL of the data ...
... maybe a special log file just for CONNECTers?
</If>
Use the gathered data to understand a trend. It might be that only specific versions of Android with your app are behaving this way. You can branch <If> to change the way those users receive content, or you can work with the developer of your Android app (the current one, or the next one you hire ;) ) to develop a list of web server requirements based on the app, itself.
Better still, a well-constructed block can enable you capture debug data for specific clients without disrupting those whose apps work. As always, I recommend building and testing in a lab first; never deploy brand new ideas to production, and most certainly never enable modules because the Internet told you to, even if they were right in naming the module.
Here are links to Apache's documentation for the <If> directive:
http://httpd.apache.org/docs/2.4/mod/core.html#if
http://httpd.apache.org/docs/2.4/expr.html
Good luck!
I have a MVC application that I would like to port at least a small part of it to a mobile app (android first). My first objective was to try to figure out how to authenticate the users.
It seems that forms based authentication uses cookies and that is not usable by mobile apps? Definitive confirmation would be appreciated.
But it seemed that you could do some form of authentication using a WCF service to create a token. Now I found a lot of sites that discussed how to create and secure the service end point but none really discussed the token generation.
Then quite by accident I stumbled upon WIF and the usersecuritytoken, which seems to what I am looking to accomplish.
So if some could please confirm this is where I need to be looking so I can actually get back to coding rather than reading I would appreciate it.
The way I see this working is:
Secure WCF service.
Using the System.IdentityModel it generates a token for a valid user and passes it back to the mobile app.
Then the app passes the token along anytime a service requiring privilege is called. For example updating the user's profile.
Is that how it is suppose to work? If not could you please point me to an example of how it is suppose to work.
One other question, looking at the WIF site it seems to provide a lot of token types, what is the preferred type for android and iOS?
UPDATE As it was pointed out it would be helpful if I provided more context.
The original website is a MVC3 web app.
I am attempting to write an app for some of the backend administration features using mono touch.
WCF seems to be a bad solution for cross platform and a package called ServiceStack is what I am now leaning towards for my web services. ServiceStack has its own authentication module but it does not interface with the .net membershipprovider which is an issue since the web app was designed with the membership provider.
I have to be overthinking this. It can't be this complicated to have an android or iphone app securely authenticate to a .net membership provider through some form of web service.
Thank you in advance,
Chris
We have an android and ios app which sends data and commands to a server with http webservice. How can i prevent the possibility, that fake-clients also can send something to the server? How can I determine serversidely if the data/command really comes from our apps.
You cant really prevent it. There are several techniques to make it harder for people abusing your services.
A simple check can be to check the user agent calling your webservice. Another pretty common one is to use a simple authentication via user/password authentication on your webserver. The username and password will be embedded into your app.
If you have enough time you should think about using a combination of this two methods plus authentication with a embedded ssl certificate. You simply could add this to your project and if someone really want to abuse your service, he have to extract this certificate atleast form your application.
There are some other useful techniques but you cant prevent reverse engineering or network sniffing.
Sincerely,
fuxx
The most robust solution is not to try. Techniques like DasFuxx's answer suggests can make it faintly harder, but someone can always decompile your application and get whatever secrets you have embedded in it.
Instead, follow the rule of multiplayer game development:
Don't trust the client.
Don't think about your application as the user interface. Think about your network protocol/API as being the user interface; then design that interface so that it cannot be abused.
It may not be possible to do so completely, but insofar as you succeed, you have true security (rather than fighting the same losing battle as DRM systems).
I would implement oAuth. See the following link for more information on how to implement such a solution.
You can't. It's that simple...