I have android app, that makes http request to get files on my server,
I had to migrate all my data to new server, but i still see many get requests on old server, which mean someone stole my links, or my app it self.
I'm currently using NGINX (I can change to Apache) to serve these files,
My question: Is there a way to allow accessing these files from only a single mobile app, based on package name for example ?
Currently, I'm serving files as hot link, example : www.xxx.com/abc.mp4
I read about setting a new user-agent in requests, so that i can allow/deny access based on that value, but if someone tries to reverse engineering my app and re-build it, he can use same user-agent.
So, Please advise if there is an optimal or better solution.
Thanks,
You could disable direct file access and expose some services that send files in their response. By this way you could add some logic to protect your files. I don't know if your app uses some authentication process, you may add some certificate or something else
Related
In my app, I am downloading some components of the app directly from the server, but then I want to check the download source to know if those components were actually downloaded from that server. I thought of using getInstallerPackageName() but that only works for apps like the play store. Please what approach can I use to resolve this? I was thinking of checking the URL. But don't really know how to implement it. Thanks
This depends on what type of components you are downloading from the server directly.
If it is a file you can add file integrity checks, checksum, etc.
If you need to validate the source then you can create an allow list of servers, authorization headers and also add certificate checks if you need additional layer of security.
I have developed Restful Web-Service which returns jsonp objects. I am using this Web-Service in a Java (and sometimes in javascript for hybrid app) android app. Problem is anyone can access this Web-Service I have implemented. (So anyone can create an app and use my data). I want to make it secure by some kind of authentication. Please help me with some solution to secure Web-Service. maybe you suggest me I must use an user name and password like this:
http://www.example.com/jsonp.jsonp?username="test"&password="test"
you know any one can extract apk file and see it.
or maybe you suggest me check package name of app in remote server before allow.
but anyone can create same pakage-name and use that data...
In brief, How can a remote server trust an android app?
EDIT: language of server:php
I have an app and a server side service which my app communicates with with JSON.
I need to impliment security so that if someone gets hold of the urls they will only be able to just call them.
I know i need to use Oauth2 but I don't know how to exactly.
I have read this and it seems to be what I want but it's using google accounts.
Can anyone give me an example or steps I must take to make sure only my app is able to get a response from my server?
You can add accesstoken for each http request.It can be just a string.
As you know, if you want to use oauth/oauth2, you should implement your oauth server. And if you really want to do so, you could find some opensource project. But in a simple way, just add a app code(like the accesstoken, anything just used to identify your app) manually to each http request. in this way, if others know your app code, they are also able to send request to your server.
I have made a web application using Java EE 6 (using reference implementations) and I want to expose it as a REST web service.
The background is that I want to be able to retrieve data from the web application to a iOS app I made. The question is how would I secure the application? I only want my application to use the web service. Is that possible and how would I do this? I only need to know what I should search for and read and not the actual code.
Unfortunately, your webservice will never be completely secure but here are few of the basic things you can do:
Use SSL
Wrap all your (app) outbound payloads in POST requests. This will prevent casual snooping to find out how your webservice works (in order to reverse engineer the protocol).
Somehow validate your app's users. Ideally this will involve OAUTH for example using Google credentials, but you get the idea.
Now I'm going to point out why this won't be completely secure:
If someone gets a hold of your app and reverse engineers it, everything you just did is out the window. The only thing that will hold is your user validation.
Embedding a client certificate (as other people have pointed out) does nothing to help you in this scenario. If I just reverse enginneered your app, I also have your client certificate.
What can you do?
Validate the accounts on your backend and monitor them for anomalous usage.
Of course this all goes out the window when someone comes along, reverse engineers your app, builds another one to mimic it, and you wouldn't (generally) know any better. These are all just points to keep in mind.
Edit: Also, if it wasn't already obvious, use POST (or GET) requests for all app queries (to your server). This, combined with the SSL should thwart your casual snoopers.
Edit2: Seems as if I'm wrong re: POST being more secure than GET. This answer was quite useful in pointing that out. So I suppose you can use GET or POST interchangeably here.
Depends on how secure you want to make it.
If you don't really care, just embed a secret word in your application and include in all the requests.
If you care a little more do the above and only expose the service via https.
If you want it to be secure, issue a client certificate to your app and require a
valid client certificate to be present when the service is accessed.
my suggestions are:
use https instead of http. there are free ssl certificate avaliable,
get one and install.
use a complex path such as 4324234AA_fdfsaf/ as the root end point.
due to the nature of http protocol, the path part is encrypted in the https request. therefore it's very safe. there are ways to decrypt the request through man-in-the-middle attack but it requires full control over the client device including install an ilegal ssl certificate. but, i'd spend more time on my app to make it successful.
Create a rule on the machine which hosts your Web Service to only allow your application to access it through some port. In Amazon EC2, this is done creating a rule in the instance Security Group.
We have used RestEasy as a part to securing our exposed RESTful webservices. There should be lot of example out there but here is the one which might get you started.
http://howtodoinjava.com/2013/06/26/jax-rs-resteasy-basic-authentication-and-authorization-tutorial/
You can also use OAUTH:
http://oltu.apache.org/index.html
My program needs to download object definitions (basically xml files, maybe binary files) on demand via the net. The program will request objects from my server during runtime. The only thing the program has to send the server is a string that identifies the object it needs (e.g. RedCubeIn3DSpace23). So a basic Key, Value system. My app also has to have some basic authentication mechanism to make sure only legitimate programs access my server’s info. Maybe send the license number and a password.
What is the best way to go about implementing this? I have 0 web knowledge so I'm not sure exactly what technologies I need. I have implemented socket programs in college so maybe that is what I need? Are there frameworks for this type of thing? There could be thousands of users/clients simultaneously; maybe more but I don’t know.
One super important requirement is that I need security to be flawless on the server side. That is, I can't have some hacker replacing object definitions with malicious one that clients download. That would be disastrous.
My first thoughts:
-Set up an ftp server and have each xml file will be named by the key value. Program logs in with its product_id and fixed password and just does downloads. If I use a good ftp server, that is pretty impervious to a hacker modifying definitions. Drawback is that it's very non expandable nor flexible.
-RESTful type system. I just learned about this when searching stackoverflow. I can make categories of objects using URL but how do I do authentication and other actions. Might be hard to program but is this a better approach? Is there a prebuilt library for this?
-Sockets using Java/C#. Java/C# would protect me from overflow attacks and then it is just a matter of spawning a thread on each connection and setting up simple messaging protocol and file transfers.
-SOAP. Just learned about it while searching. Don't know much.
-EC2. I think it (and other?) cloud services add a db layer over it.
That's what I can come up with, what do you think given my requirements? I just need a little guidance.
HTTP seems a better fit than ftp, since you only want to download stuff. That is, you would set up a web server (e.g. Apache), configure it for whatever authentication scheme you need, and have it serve that content.
SOAP is clearly overkill for this, and using raw sockets would be reinventing the wheel (i.e. a web server).
I'd do security on the socket level, using HTTPS. That way, the client will verify the identity of the server prior when establishing the connection, and nobody can intercept the password sent to the server. Again, a decent webserver will support this out-of-the-box, you just need to configure it properly.