I have a server side script which gets some data that my application uses. Naturally, I don't want anyone else access the data aside from my app. I've heard it's possible to see which url's the device connects when using a certain software. How can I prevent these programs seeing the url's I'm calling to? Or is there a better way of securing the requests?
Only thing I can think of is using a password key in the url (and check if it matches on the server side):
http://example.com/getdata?key=897ihrduiuyqewudiew&get=something
but that probably isn't enough for a secure authentication. And the sniffer programs could still get that url. Any simple way of doing this more securely?
The easiest way is to use HTTPS. This way, only the server to which you connect to can be known by the sniffer.
There are other methods that use complex challenging to have a unique key only valid for a short period of time / a single request, like WSSE (see this article http://www.xml.com/pub/a/2003/12/17/dive.html )
There is very little you can do in order to protect the server requests. Someone will always be able to see the URLs your application hits and using a password in the query string won't help. In order to secure your application you need to use HTTPS and some form of authentication. The user will need to provide a username and password in order to connect.
If I understand you correctly, you should implement mutual authentication. Basically, you have certificates on both your client and server. When a request is made to the server, the server verifies that request is signed by a known client.
So, even if a sniffer knows the url and attempts to issue the same request to the server, it would be rejected since it is not signed by a known client. I am quite new to this as well, but that is the general concept. This blog has the basic steps.
http://blog.callistaenterprise.se/2011/11/24/creating-self-signed-certificates-for-use-on-android/
http://blog.callistaenterprise.se/2011/11/24/android-tlsssl-mutual-authentication/
Related
I have developed an android app. This app sends data to my webserver(apache + mysql) using the HttpClient and HttpPost classes.
But this way a malicious atttacker could be able to send a custom post request to the webserver and corrupt my database.
1 - Is it possible to encrypt the data before the app sends it and then decrypt it in the webserver with some shared key algorithm? Or am I saying nonsense?
2 - If the previous solution is not a good one, what do I need in a summarised way to implement the ssl solution?
I have read many articles about ssl and android but I am still a bit confused. I guess I have to make code changes on both app and apache. Can anyone tell me about some tutorial to deal with this?
You don't necessarily need to encrypt your data (that's only needed if you want to prevent data from being read by an attacker).
What you need is:
Authentication: So only requests from trusted users (ie. your app) are accepted
Validation: So only "correct" requests are processed
Authentication can be as easy as setting up HTTP Basic Access Authentication on your Apache server. You'll set up a user and password, and have your app use these credentials to access the server. Any unauthenticated request will be rejected with a 403.
Unfortunately Basic Authentication is mostly insecure since anyone looking at the traffic between your app and server can grab the credentials, then forge their own requests.
OAuth would be the better option, although it is more involved. Here's a nice tutorial that covers the client side: http://nilvec.com/implementing-client-side-oauth-on-android.html
Validation means you'll need to sanitize data before using it. Your server app should assume that all data is potentially wrong or dangerous, and properly filter any input before processing it.
I am building an app with an iOS and Android version. I want to create or implement an existing REST authentication process that can be used by both apps. I know that I can accomplish this with a simple Get service but this would pass the password in the clear. Is there any API that handles authentication for mobile apps?
I don't want to use OAuth because I don't want the user to have to take the extra step of having to allow access to their data. I want the user to seamlessly enter a user name and password and be authenticated like in most mobile apps that I have used.
If you're sure you don't want anything like OAuth then you just need two things :
1) https only - this prevents username:passwords being intercepted (easily)
2) A POST URL to send the username:password to
POST is important! If it was just GET then the username and password would be stored in your server logs and the request might be cached.
You will ned up with something like :
https://www.example.com/myaccount/login
with the POST parameters
username=deanWombourne&password=hunter2
I would then store the logged in state as a property on the server for that session for all future requests.
If you use a secure connection (HTTPS) sending username/password won't be an issue. Other things to think of are, session timeout and session caching on the mobile devices, and the security steps needed for that, intermittent network connectivity issues etc.
Could you show us some of your code so we can get a better idea, it is now ok to use OAuth as users are more familiar with this method and it is more secure without having you to use HTTPS because there is a part of users (me too) who don't accept to write their password on non-official apps, so they may ignore you .
HTTPS is your first choice,.. if possible.
I recommend you to look at amazons S3 auth.
http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html
Also look here.
I am trying to add a REST interface to Django for a mobile client. The mobile client will use JSON over HTTPS. I have not been able to find the "best" way to accomplish this for mobile devices. From searching around, it seems that #2 is more favorable to #1:
Use HTTP authentication and establish a cookie based session. All transactions will occur over HTTP and JSON messages will only contain commands or data.
Pass the username and password (encrypted) within each JSON msg for all transactions and do not rely on cookie-based sessions.
I would recommend sending the username / password first with a login call. The JSON will pass back an authToken or accessToken which the mobile device will send back for all subsequent calls. You will then check to make sure the authToken is valid. This is the approach many API's take. In their database they will bind the API key to the users account that they logged in with.
OAuth is overkill unless you want to make these services available to other developers (which they would access on behalf of your end users). Better to go with option 2, but I would recommend using Digest Authentication as opposed to Password Authentication. Combine that with SSL and you are definitely good to go.
Number 2 is preferable, and rather than roll your own, I would recommend using OAuth authentication if possible. Both client and server libraries are readily available for use on most platforms now. Check http://oauth.net for details.
So long as you're using actual encryption and not base64 or some homegrown obfuscation algorithm, #2 is fine and dandy. You might also want to consider the route many companies take, which is binding an API key to a username.
I'm building an Android application which has to sent some information to my mysql database. The mechanism I'm trying to implement is based on JSON, php, Mysql combination. Unfortunately I'm not a veteran when it comes for those subjects. As I understand correctly the php-Mysql connection is always secure - nobody except me can see the source of php script in which I have written username and password to my database. Now the tricky part, my php script is located on Apache server and it isn't protected at all, therefore anybody can trigger it (even from the desktop browser). How can I prevent this situation? and how can I safetly trigger my php script from my Android device?
Thanks
Use SSL. This will encrypt the connection between the device and the server.
Use a client id/key for your device that is verified on the server.
In case you REALLY worry that someone will modify your app to send fake calls using such: verify the client certificate as well (piggy back). (The same way it is done with Facebook Android library and Google mobile libraries).
Use ssl, this will encrypt the connection
Set an authenticate mechanism, on your php page and you android application will send the credentials
Set a random pin code that the server side sends to the application, and he is valid only to the current session, and the application need to run a function that will generate the right answer to this current number and sends it to the server as verification, for example if the server sends me the pin number:120, and the verification function of mine is to +1 the pin number I will send the server 121, but I suggest to use a little bit more complicated algorithm.
The Android device is no different than any other HTTP client, like your browser. You need to follow the same mechanisms you will be using in order to protect a standard Web Page:
Require login to the page. The user needs to supply a valid username and password to gain access. The server returns a session, which is usually stored in a cookie. This question will help you on how to do that on Android.
To keep someone from intercepting the username and password, the log-in should be done over HTTPS
the most intuitive way is to authenticate the user (Username + Password) using an Https Connection, there is better types of secure authentication like OAuth, see this: http://code.google.com/p/oauth-signpost/
I am in the planning phase a new project. I want to be able to control multiple relays from my android powered phone over the internet. I need to use an HTTP based server as a middleman between the phone and the relays. Django is my preferred platform because Python is my strongest skill set. This would not be a "web app" (with the exception of the admin interface for managing the user and their access to the relays). Rather, the server would simply provide an API in the form of HTTPS requests and JSON encoding. Though, I should note that I have never done any web development in my life, so I don't know best practices (yet). The authentication method should meet the following criteria:
Works over HTTPS (self-signed SSL)
Provides multi-factor authentication (in the form of something you have and something you know)
Be reasonably secure (Would be very difficult to fool, guess at. or otherwise bypass)
Is simple in implementation for the server operator and end user on the mobile client
Is lightweight in in terms of both CPU cycles and bandwidth
I plan to use the following scheme to solve this:
An administrator logs into the web interface, creates a user, and sets up his/her permissions (including a username and a password chosen by the user).
The user starts the client, selects add server, and enters the server URL and his/her credentials.
The client attempts to authenticate the the user via HTTP auth
(over SSL). If the authentication was successful, the server will generate an API key in the form of a UUID and sends it to the client. The client will save this key and use it in all API calls over HTTPS. HTTP auth is only used for the initial authentication process prior to reviving a key, as a session scheme would not be nessessary for this application. Right? The client will only work if the phone is configured to automatically lock with a PIN or pattern after a short timeout. The server will only allow one key to be generated per user, unless an administrator resets the key. Hence, simple, mobile, multifactor authentication.
Is this sound from a security standpoint? Also, can anyone point me to an example of how to use the HTTP auth that is built into Django? From a Google search, I can find a lot of snipits witch hack the feature together. But, none of them implement HTTP auth in the wayit was added to Django in 1.1. The official documentation for REMOTE_AUTH can be found here, but I am having difficulty understanding the documentation as I am very new to Django.
I'm not entirely sure of how basic auth would work on Django, but I can take a shot.
The basic auth article on wikipedia covers a pretty standard usecase for logging in. For Android I've personally skipped the first part (401) and just pass my credentials in right away.
With your auth request you will have to just grab the user credentials from the request headers (WWW-Authenticate) and then do all the necessary work for that. With the credentials you can then just use the authentication framework provided in Django to verify that the user then generate their UUID (I guess).
As for basic auth on Android it's a little bit tricky at first and may leave you pulling your hair. I've found this article on Basic HTTP auth for android which helps explain how to do it.
As for the security part of it, I'm not too sure. It's pretty simple, which I'd say is a good thing :)