Cross-Domain Application Security Doubt

4

I have a question regarding the security of cross-domain applications ...

It is as follows, in case I have a hybrid APP that will run on a smartphone and will make requests ajax cross-domain to an api (in this case multiple .php files) that are hosted on any site, how can I ensure that only my APP will consume these services?

Would it be using session ?

I know that there are also several hosting control panels that offer password protection of the domain folders, but this would mean that every time the APP was opened, the user had to enter that password for the site, which is not interesting.

Anyway, any ideas? Thank you.

    
asked by anonymous 16.06.2016 / 05:44

3 answers

6

Use encryption and authentication via client certificates in a mechanism known as authentication [ 1 ].

  • Create a self-signed server-side SSL certificate and install it on your web server. You can use the keytool included in the Android SDK for this purpose.
  • Next, create a self-signed client and install in your application on a custom keystore linked to your application as a resource keytool in> will generate this keystore as well).
  • Configure the server to require client-side SSL authentication and only accept the certificate that you have generated for your Android application.
  • Configure the Android application to use this certificate to identify itself and only accept the server-side certificate installed on your server.

To make difficult man-in-the-middle attacks that simply use the certificate hierarchy to intercept your content, please complement this implementation with

You will ensure that Android clients will only connect to the server you specify, and that your application server will only accept connections from clients authorized by the certificate.

Session tokens and cookies , even under HTTPS, are not guarantee of origin.

1 credits to @cantoni by mentioning the model name.

Sources and references:

link
link
link
link

    
21.07.2016 / 21:08
1

In addition to login and password authentication you can use Token as informed. There are some tools like JWT .

Basically you will have a string of characters in both systems, for example "abcd". During a request you pass "abcd" to the other system that will check if it hits the server sequence. If positive, authorize the request, if not deny.

In a real environment, this stream has more characters and is encrypted using some encryption technology. Tools like the one I cited help with these procedures.

Look for tutorials with the technologies you use for example AngularJS + JWT: link

    
20.07.2016 / 19:30
0

Authentication exists for you to resolve this problem securely and is unique in the HTTP protocol.

You have these options among others listed here, these are the most used and recommended:

Basic Authentication (TLS)

Basic Authentication is the easiest to implement because it can be implemented most of the time, without any more library ... Its problem is that it is "basic", and so it has its level of security than other protocols. You send your username and password through a Base64 Encode Encode, and it uses SSL to further encrypt (TLS). After that you can create a session table, generate a hash and use that in your browser saving application.

Oauth2 (Recommend):

Oauth2 uses SSL (TLS) to encrypt password / user and other non-mandatory properties as a scope. It is actually a protocol, complex, and used in the authorization system of Google and Facebook. I use it on a big project, and I do not recommend it for your case. I recommend that you use (if you choose OAuth2) a third party service for the job: link

Third party use as Stormpath

You can use third-party services to do all the work, but it's an extra cost, and you get kind of tied up with the service. link

    
21.07.2016 / 20:08