Facebook recently changed the security settings on Account Configs, now there is no more an option to force, or not, an application to use HTTPS protocol.
Therefore, it isn't possible to do a App without a SSL key. Previously we could just don't fill Secure Canvas URL field, and access the canvas app through the HTTP protocol. But now, without the option in the security user config, the facebook app keeps redirecting to the HTTPS protocol.
So, there is some workaround for this ?
As CBroe says, you need SSL.
There are 2 things you need in my opinion:
A webserver with SSL.
IF you're in OSX and you run Apache, this tutorial really helps:
http://blog.andyhunt.info/2011/11/26/apache-ssl-on-max-osx-lion-10-7/, plus you might want to add your certificate as a trusted (root?) certificate, or certificate authority. (I'm not very well versed in this)
The only caveat I found, specially for Chrome, is that when you're generating the Certificate Request File, under Common Name place "localhost" or the host you're using for development. This last caveat should be similar in Windows, since it's a browser requirement that the certificate common name matches the actual host. Browsers like Firefox allows you to permanently trust a certificate, thus avoiding all the certificate installation on the OS and trusting.
A proxy app
proxy-like app to act as a man in the middle and decode the encrypted information, in order to see the actual requests and response being sent and received from the server. There should be other software, but the one I use and love is Charles Proxy, which can do this and tons more.
Hope it helps!
Related
I have an application that can send HTTP requests (It uses Alamofire to achieve this). The problem I have is that the URL I'm using isn't secure, it is our company API for connected devices.
At the moment the user has to manually visit the API and trust it, then add a random certificate to keychain... Not very elegant.
I've created my own SessionManager : Alamofire.SessionManager and used .disableEvaluation on the URL, it is listed in the info.plist under App Transport Security Settings -> Exception Domains. All correctly formatted to the best of my knowledge. None of it prevents to user having to manually visit the site to trust it.
Anyone got any ideas?
I have a relatively successful app in the app store that allows people to view metrics on their iDevice using a JSON file hosted on the their server. The app has a simple settings screen in which you simply type the URL of your JSON file and the app takes care of visualising the data in the file. I use AFNetworking for this.
For example the URL might be: http://www.mylargecompany.com/factorykpi.json
Customers are now coming back to me and asking for the ability to connect to their servers more securely. Problem is there is a myriad of ways you can secure your server.
I need some advice. What kind of standard security features would I need to build into my app. I am confused by OAuth, HTTPS, etc.
I believe OAuth would mean the customers server would have to use it? Can you make a generic OAuth login screen in an app or do you need to know which web server you are connecting to authenticate.
Any advice on even the most basic of security measure would be very welcome!
Regards,
MonkeyBusiness
Security is really a very broad topic. There is no short answer. In any case, both web service and client app need to implement security mechanisms. I would recommend, you provide both the web service and client app.
You likely need some user login with a password, "server verifies user identity" and "client verifies server identity" using certificates. Then you utilize HTTPS which ensures to transport confident data in a secure way. The web service should be implemented with one of the well known web application frameworks since security is a scary business, and tricky. Implementing everything yourself, might end in a suboptimal insecure application.
You should now read more about the complex topic and come back when you have specific questions.
... most basic would be to use https, which would secure the transaction, but anybody accessing the same link would be able to access the same data. Thus you will need some kind of authentication, starting with a simple secret key passed as POST request, username and password and/or via certificates.
Web Servers have settings by which you request client certificates - for eg. SSLVerifyClient require in Apache, a different setting in IIS etc. If this is set, then the browser throws up a dialog asking you to chose a certificate.
Is it possible to ask for a certificate dynamically? i.e. I am really not interested in 2 way SSL - however, I want to ask the user to register his certificate with my application which will be used in a different context. So I need to let the user chose one of the certs registered in his browser and access the cert in my application. How do I do this?
Is this possible at all?
I have figured out one way to do this - I have a upload link in my application - this points to a Virtual Directory which has Client Side Authentication required property. So when the user clicks on the link - it triggers a SSL Renegotiation. The browser throws a dialog which lets the user chose from the registered certs. Once he chosen the certificate, SSL renegotiation happens and the I can access the cert in the application. The SSL renegotiation ensures that the user has the private key corresponding to the Cert.
If there any problems with this method or if there is a better way to do this, I am most certainly interested in doing it.
Also, I am currently doing this in IIS - but I think something like this should be possible in most other webservers also.
I am building a RESTful API in Python with the Pylons framework, serving it with Apache2 and mod_wsgi, and would like to connect it to an iPhone app. I have very little experience with HTTPS, SSL, and certificate authorities, and I am wondering how I would go about securing my API.
How do I make sure that the API is being served through HTTPS? Is it necessary to, as in this example, set up an SSL certificate? If I sign an SSL certificate through an authority not recognized by iOS (CACert.org, for example, and mainly because it is free), will that affect my app's ability to communicate with my server? How have others solved this problem of securing communications between a web-based RESTful API and iPhone apps?
Also, how does OAuth fit into all this?
This really depends on what you mean by "securing" your API.
Do you mean that you want to A) secure it so that unauthorized people are unable to access the API or B) do you mean that you want some level of encryption on the data passed back and forth between the client and server?
If the answer is B or both, then you will definitely need to look at getting an SSL certificate and installing it on the server. Most certificate authorities have guides on how to do this.
I'm not sure what you mean by "an authority not recognized by iOS" but you should still probably consider forking out the dough for a certificate from a recognized authority. It still wouldn't hurt to try CACert.org though if they are offering free certificates. I can't really see there being any problem in terms of the ability of communication between server and client being affected.
In terms of securing your API from unauthorized clients, you could check out OAuth (see http://oauth.net/). There are various Python libraries for OAuth. Check out https://github.com/simplegeo/python-oauth2 for example. The only thing you may want to consider is that there is a reasonable learning curve when it comes to implementing OAuth.
The second link above demonstrates a simple OAuth client and also has example code for a three-legged authentication process.
You can handle certificates programmatically in iOS. You can even use self-signed certificates as long as your code acknowledges the fingerprint. I can't remember the details off the top of my head, but I know you can use didReceiveAuthenticationChallenge to do this.
In the long run, it is simpler to just buy a cert (cacert.org won't do).
I know that you need a secure https thingy to hose a valid app on. But if I just want to test some stuff, like how to make use of the social plugins from within a flash app and so on, do I need a secured url as well?
Or is there something like a testuser for that too, that doesn't care about this but let's me simply test the stuff?
Thanks for any help.
"All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode)." Via: Facebook Dev Blog - https://developers.facebook.com/blog/post/497
Just set your app to sandbox mode. And you should be all set. Otherwise you could always look into a service such as this: http://www.social-server.com
This is no longer possible. Facebook now requires a HTTPS connection: the Secure Browsing option under Account Settings is no longer available.