I have a service with a Django-based RESTful API that is designed for iOS devices to access. I'd like to store some user data on the server -- non-sensitive things like favorites for example. I don't want to make a new user create an account, but I would like for the data to not be publicly available. The service also uses Apple's Push Notification Service (APNS). All traffic to and from the service uses TLS/SSL.
I am considering using a CFUUID generated by the device on first launch as a username and the token provided by APNS as a password. I would create a user account after I successfully register the device with APNS and update the password if the APNS token changes.
Is this a bad idea? Is there a better approach?
The approach I've decided to take is the above but without using the APNS token as a password. Instead, the CFUUID and token are sent as form-encoded data in the body of an HTTPS PUT request with a server-generated password to returned in the body of the response.
Related
Let say i have an android app with Reddit OAuth2 authentication. I initiate authorize request with my client id and user accepts the consent. Now i got the authorization code which will be exchanged for token in my server via HTTP request. This process will protect my client secret as it is in my server, but it actually doesn't. Anyone can take the client ID from the app by decompiling and initiate authorize request to reddit and exchange code for token from my server. They don't even need to know secret to get the token.
How can one protect the API against this kind of misuse (or attack?)?
Is there any way i can allow my API to accept requests only from my app and reject other requests (using SHA256 or etc.)?
I have looked up and studied about PKCE. But this is not useful in case as it only protect again code sniffing/intercepting and accept only the original authorize request initiator.
You will probably want to store a secret. When first opening the app (and after certain interval of times to keep it secure) you will need to generate a keypair. Store the private key on the device's Keystore and send over the public key to your backend. When authenticating to your api, sign the client's secret with the private key and verify it using the public key on the backend.
Note that this will induce substantial overhead to your login process. Because mobile devices are not necessarily well equipped to perform cryptography. Though this is less and less true.
EDIT: Your keypair will need to be issued from a CA you trust, otherwise this is all useless.
I am building a REST API as the backend for a mobile app. I would like to check if the requests made to the API are coming from our mobile app. However, the API will require end users to login in order to access certain endpoints.
My questions is, how could I authenticate all incoming requests to make sure they are coming from our own app, while also authenticating the end users for some requests?
I was thinking of sending an API key with all requests in the Authentication HTTP Header to authenticate the mobile app, and (separated by a comma) also send along a JWT for authenticating the end-user. While this could work, it seems a bit "hacky".
What is the standard way of authenticating both the mobile app and the
end-user of the mobile app at the same time?
Using an application token and a user-specific session token is one method of separating authentication of the two. The application token would be unique for your application, and should be obfuscated so that inspection of the client's binary would not lead to easy detection of the token. The user-specific session token should be generated when the user is logged in. The client adds this user session key to future API calls, the server will check if the session key is valid, and can use it to look up any session state stored for the client.
However, optimally, you would implement the full oauth2 spec. as outlined in this ultimate guide to mobile API security:
Here’s how OAuth2 token authentication works from a user perspective
(OAuth2 calls this the password grant flow):
A user opens up your mobile app and is prompted for their username or email and password.
You send a POST request from your mobile app to your API service with the user’s username or email and password data included (OVER SSL!).
You validate the user credentials, and create an access token for the user that expires after a certain amount of time.
You store this access token on the mobile device, treating it like an API key which lets you access your API service.
Once the access token expires and no longer works, you re-prompt the user for their username or email and password.
What makes OAuth2 great for securing APIs is that it doesn’t require you to store API keys in an unsafe environment. Instead, it will generate access tokens that can be stored in an untrusted environment temporarily.
This is great because even if an attacker somehow manages to get a hold of your temporary access token, it will expire! This reduces damage potential (we’ll cover this in more depth in our next article).
i'm trying to build a server with a rest api and database.
it has ios and android clients, where you can log in with facebook.
the server can receive the access token that the clients get when they log in for the first time, and send it to the server. the server stores it in the database.
now the server can make graph api calls on the clients behalf.
but here's my question:
the next time the client asks the server to do something on it's behalf, what info must it send so that the server knows who the client is? is it just the access token again?
thank you
Just the access token is enough to uniquely identify the user and the app.
You could try it by hitting graph.facebook.com/v2.10/me?fields=id&access_token=... with different tokens to check which user it is and whether the token is still valid.
Off topic, but since you're already using the server as the middle-man for your requests, I suggest using the code flow instead of token flow for added security: https://developers.facebook.com/docs/facebook-login/security#appsecret
My project include a web application, a mobile app and a REST API module.
The mobile app is made with Ionic 3 for android and uses a REST API located to an address like example.com/api.php on a server with https. The API has access to a MySQL database.
For the users who access the API I have to create the login/access to API function/logout since they already have the accounts created in the web application.
The main concern is to implement a secure login. Meaning, if someone tries to access my API without authorization (knows the address, the functions name or the used parameters name) to recive an error message. In order to access the API you must be logged in and to have the right to acces a certain section (I have multiple levels of access).
But how can I detect if an user that access my REST API is logged in and has the proper rights?
The plan:
For the login step
In order to access the REST API I have to login with username/password in app. I check if the credentials are correct (if the user exists then I determine the access level) and return a JWT with the user ID and other parameters if necessary (a token). Store in phones local storage the JWT.
To secure the access to REST API functions
The question is: HOW DO I DO THAT? How do I access secure a function from my REST API?
for every request that I make to the REST API should I send also the token from the Local Storage and verify it on the server side?
how do I perform the validation on the server? Do I store the token on the device and also on the server and compare them for each request?
Thanks a lot!
There are multiple ways to do it, it's all depends on you. Hence i am sharing the method i generally use, but not claiming it is most secure way.
We use encryption, decryption with private key. for example:
Register User Web-Service
ex. we have 4 params 1. username 2. name 3. email 4. password. with my register web service.
We will create SHA256 Hash using data concat with private key. then we will pass the hash key to server and at server side we will generate hash key with same method and compare both.
ex. string with private key = usernamenameemailpasswordprivatekey
sha256 of string = 7814b2d22af647308884acff0be4c675b7f72ba000cf1e8390520100cc930e74
You may have any sequence of your data string and same method will work with your server. Always use SSL certificate with your server for more security.
I'm evaluating whether to use Ionic's cloud Auth service and it seems like it's relatively easy to implement client-side, where you can check this.auth.isAuthenticated. You can also set the user info from the client side as well.
However, if I want to do check their identity server-side, such as check that a user is authenticated when they call my custom api to post a comment - how can I get some sort of token (preferably a JWT token) that I can use to validate their identity server-side? Assuming we are using email/password authentication.
Also - using their send notification on a user's birthday example, how can I query the user data in ionic cloud's database to say find all users who have a birthday today. Can I export out the user data in any way if I want to migrate away in the future?
You should implement a JWT authentication service server side.
In other words when the user is authenticated, the app can send a JWT token to the server which should be evaluated to trust the remote user.
For more info reads: https://docs.ionic.io/services/auth/custom-auth.html
A php example here: https://github.com/driftyco/custom-auth-examples/tree/master/php
Regards from Italy