Cross-Domain Application Security Questions

Asked

Viewed 314 times

4

I have a question about the security of cross-Domain applications...

The following is in case I have a hybrid APP that will run on a smartphone and will make requests ajax cross-domain to an api (in case multiple files .php) that are hosted on any website, how can I ensure that only my APP will consume these services?

Would be using session?

I know there are also several hosting control panels that offer password domain folder protection, but this would make it so that every time the APP opens, the user has to enter this password of the site, which is not interesting.

Anyway, any ideas? Thank you.

  • Using Authentication and Session.

  • But assuming there was already, for example, a functional Login screen within the APP, how would this authentication work? Because the authentication information I use is just the configuration parameters to cross-connect Omain(url, user, password, bank name). How could I perform this other authentication without the user needing to enter another login and password?

  • 1

    Do you know what token is? Instead of Session you can use token

  • Hello, I don’t know this concept of token... I did some research here, you could give me a small example or link so I had a north?

3 answers

6


Use encryption and authentication via customer certificates in a mechanism known as mutual authentication [1].

  • Create an SSL certificate server-side self-signed and install on your web server. You can use the keytool included in Android SDK for this purpose.
  • Then create a self-signed client and install in your application in a custom Keystore linked to its application as a Resource (the keytool will generate this Keystore also).
  • Configure the server to require client-side SSL authentication and accept only the certificate you generated for your Android application.
  • Configure the Android app to use this certificate to identify yourself and only accept the certificate server-side installed on your server.

To make difficult attacks man-in-the-Middle that simply use the certificate hierarchy to intercept its content complement this implementation with Certificate pinning.

You will then ensure that Android clients will only connect to the server you specify, and that your application server will only accept connections from clients authorized by the certificate.

Session tokens and cookies, even under HTTPS, are no guarantee of origin.

[1] credits to @Cantoni the name of the model.

Sources and references:

https://stackoverflow.com/a/9432833/1845714
https://support.microsoft.com/en-us/kb/901183
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
https://security.stackexchange.com/a/29990/18139

  • 1

    I believe this is as much as can be done. Even so, any reverse engineering can obtain the certificate, thus being able to use it outside the application. Whenever I see such a subject I remember this http://mokhdzanifaeq.github.io/extracting-instagram-signature-key-2/ and now Pokemon GO at https://applidium.com/en/news/unbundling_pokemon_go/. :S

  • Excellent answer. This is mutual authentication: https://en.wikipedia.org/wiki/Mutual_authentication

  • @Thanks Cantoni for mentioning the template - if you don’t mind I included it in the reply.

  • 1

    @Onosendai, I didn’t even need the credits, but since you did, thank you. :-)

  • 1

    @Inkeliz, you are correct. A malicious agent with enough time and dedication can, at worst, run APK in a virtual environment and extract the keys directly from memory. However some risk factors can be minimized. I mentioned pinning certification as one of the practices.

  • 1

    Hi, I’m gonna mark that one as an answer because I found the most complete one. Although not exactly what I was looking for(Because I need security solutions not only for the Android platform, but for others as well) was the answer that broadened my knowledge in the area. Thank you.

Show 1 more comment

1

In addition to login and password authentication you can use Token as informed. There are some tools like JWT.

Basically you will have a string of characters in both systems, for example "abcd". During a request you pass "abcd" to the other system that will check if it matches the server sequence. Positive case authorizes the request, if not denied.

In a real environment, this sequence has more characters and is encrypted using some encryption technology. Tools like the one I mentioned help in these procedures.

Search tutorials with the technologies you use for example Angularjs + JWT: https://thinkster.io/angularjs-jwt-auth

  • Hello, I searched and searched the internet and found some information, mainly using Angular. However, I’m not using Angular, could you give me a very basic example just to get me started?

0

Authentication exists for you to solve this problem in a safe way and unique in the HTTP protocol.

You have these options among others listed here, these are the most used and recommended:

Basic Authentication (TLS)

Basic Authentication (Basic Authentication) is the easiest to implement, because it can be implemented most of the time, with no more library... Its problem is that it is "basic", and thus has its security level lower than other protocols. You send your username and password via an Encode Base64 encryption, and use SSL to further encrypt (TLS). After that you can create a session table, generate a hash and use it in your application by saving in browser cookies.

Oauth2(I recommend):

Oauth2 also uses SSL (TLS) to encrypt password/user and other non-binding properties as a scope. It is really a protocol, complex, and used in the authorization system of Google and Facebook. I use it on a big project of mine, and I don’t recommend it to your case. I recommend using (if you choose Oauth2) a third party service for the job: https://auth0.com

Use of third parties as Stormpath

You can use third-party services to do all the work, but it’s an extra cost, and you’re kind of tied up with the service. https://stormpath.com/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.