What is the best and safest way to identify a device in the webservice?

Asked

Viewed 214 times

0

I am developing an APP (currently only Android - pure Java), it consumed a webservice made in PHP (using the mini Framework Silex).

As we know today we have to protect everything to the fullest, so I took some security measures:

  1. I will use HTTPS in all cross-device requests and webservice;
  2. Each device gets itself a unique key when it is opened for the first time, the key allows access and identifies the device on the server.

Note: The key is stored both on the server and on the user’s device and in any request this key is sent to the server and the server checks if it is equal to the one it has.

I intend to implement further security issues, such as encrypting the data before it leaves the devices or the webservice, and obviously when it arrives at its final destination it will be decrypted, of course each device will have its own password and the server will have all passwords. This I still don’t know how I will do so if anyone wants to give some advice will be welcome. Another thing I will do is to obfuscate the APP code.

But at the moment what bothers me is the exchange of information between the server and the devices, this way that I am working for me is very superficial so I would like to increase security in the requests. But I have no idea how to accomplish this and I’ve come to ask for tips from the community so I can improve my applications.

android web-service ios security-guard cryptography
  • 1

    Recommendations are very subjective. If you already have the web service try searching on "forms of authorization authentication in web services"

  • There’s a lot of information missing from the question, including more details like what technology you used for Webservice. I will put a more informative answer just to give you a north, but you need to better elaborate your question.

  • @Pagotti yes I agree but I’m in a drought of ideas on this subject I came to ask any idea to the community.

  • 1

    With the question update it became clearer what you are looking for. Your concern about content security, if you are already using HTTPS I see no reason to encrypt the data. On the authorization issue, if you are using token, check out [JWT] (https://jwt.io/introduction/)

  • @Pagotti does HTTPS protect all information from the request? Because if not protecting an attacker can have access to the necessary data as the token, I will see about this JWT, thank you

  • 1

    @Mateusfmello HTTPS is a security layer on top of HTTP. The browser exchanges encrypted information with the web server. Of course it is not 100% safe because it is based on certificates, that is, if they have access to your key can be broken, but there is even an encryption of your own that you do will have a key at the same risk. Certificates may also have costs.

Show 1 more comment

1 answer

3

What you are looking for is a method of authentication or authorisation for your Webservice, but this varies according to the technology undertaken in the development of your Webservice. If you are using SOAP or WCF Webservices with . NET is an approach, if you are using REST Apis the approach is different. Understand how complex this can be?

I’ll give you some information that might give you a hint about what can be done, based on . NET technologies that are what I control. Since you also didn’t explain which technology you used to develop your backend.

Basically authentication with Web services involves sending some information in the header of the request and processing of this data on the server, validating the user (device) or not, which should generate an error HTTP 401 - Unauthorized.

There are libraries and frameworks that help to do this in every technology, for example in ASP.NET MVC has the ASP . NET Identity, the Oauth 2.0 which can be used with Web API and also integrates your application with social networks like Twitter and Facebook.

Within each approach, there are also numerous ways to implement authentication.

Now, if you want to develop everything at hand, which is not ideal, you can include a parameter in the Webservice methods that can serve as a validation token, and in each you can create a method for validating this token.

I’m not proud of it, but I’ve done it a few times, below the example of a method I created in a WCF:

public class WcfClientValidations : IWcfClientValidations
{
    DataContext context = new DataContext();


    public string GetData(string clientToken, int code)
    {
        TokenValidation(clientToken);

        return context.Data.Where(o => o.code = code).ToList();
    }

    private void TokenValidation(string clientToken)
    {
        if (string.IsNullOrEmpty(clientToken))
        {
            throw new Exception("Token inexistente !");
        }

        try
        {
            var clientCode = (int) Base64Decode(clientToken);
            var clientDb = context.Clients.Where(o => o.code = clientCode);

            if (clientDb == null)
              throw new Exception("Cliente inexistente ou token inválido !");
        }
        catch (Exception e)
        {
            throw new Exception("Problemas ao validar o cliente !");
        }       
    }

    private static string Base64Decode(string base64EncodedData)
    {
        var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData);
        return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
    }
}

As you can see in the Getdata method I receive a clientToken which is converted and valid returning an exception if the customer does not exist.

I hope I helped, although I do not have much information in the question.

  • So I’m doing something similar, I’m using php on the webservice, so I did the following, the first time the user accesses the APP he connects to the webservice and requests a token, the token is a sha512 generated from some information about the device that was sent in the request, this hash is saved on the device and in the webservice and every new request this hash is checked, so it is given or not the permission for the device.

Browser other questions tagged android web-service ios security-guard cryptography

You are not signed in. Login or sign up in order to post.