What is the best and safest way to identify a device in webservice? [closed]

Question

What is the best and safest way to identify a device in webservice? [closed]

Navigation

#1 by (3 votes)

0

I'm developing an APP (currently only Android - pure Java), it will consume a webservice made in PHP (I use the Silex mini framework).

As we know today we have to protect everything to the maximum, so I took some security measures:

I will use HTTPS on all requests between devices and the webservice;

Each device receives a unique key when it is opened for the first time, the key allows access and identifies the device on the server.

Note: The key is stored on both the server and the user's device and on any request this key is sent to the server and the server checks to see if it is the same as the one it has.

I also want to implement more security issues, such as encrypting the data before leaving the devices or webservice, and obviously when they reach the final destination will be decrypted, of course each device will have its own password and the server would have all the passwords. This I still do not know how I will do so if someone wants to give some county will be welcome. Another thing I will do is obfuscate the APP code.

But at the moment what bothers me is the information exchanges between the server and the devices, this form that I am working for is very superficial so I would like to increase the security in the requests. But I have no idea how to do this and I ask community tips to improve my applications.

android web-service criptografia ios

asked by anonymous 13.02.2017 / 09:35

1 answer

Transfer data from SQL Server to SQLite with Android TextView - Leave only one word in bold

score 3 · Answer 1

What you are looking for is a authentication or authorization method for your WebService, but this varies depending on the technology you have developed in developing your WebService. If you are using WebServices SOAP or WCF with .NET is one approach, if you are using REST APIs the approach is another. Do you understand how this can be complex?

I'm going to give you some information that can give you an insight into what can be done, based on .NET technologies that dominate. Also, you did not explain what technology you used to develop your backend.

Basically authentication with Web services involves sending some information in the header of the request and processing this data on the server, validating the user (device) or not, which should generate an error #.

There are libraries and frameworks that help you do this on every technology, for example in ASP.NET MVC has ASP.NET Identity OAuth 2.0 that can be used with Web API and also integrates your application with social networks like Twitter and Facebook.

Within each approach, there are also many ways to implement authentication.

Now, if you want to develop everything at hand, which is not ideal, you can include a parameter in the WebService methods that can serve as a validation token, and in each you can create a method to validate this token.

I'm not proud of this, but I've done it a few times, below the example of a method I created in a WCF:

public class WcfClientValidations : IWcfClientValidations
{
    DataContext context = new DataContext();


    public string GetData(string clientToken, int code)
    {
        TokenValidation(clientToken);

        return context.Data.Where(o => o.code = code).ToList();
    }

    private void TokenValidation(string clientToken)
    {
        if (string.IsNullOrEmpty(clientToken))
        {
            throw new Exception("Token inexistente !");
        }

        try
        {
            var clientCode = (int) Base64Decode(clientToken);
            var clientDb = context.Clients.Where(o => o.code = clientCode);

            if (clientDb == null)
              throw new Exception("Cliente inexistente ou token inválido !");
        }
        catch (Exception e)
        {
            throw new Exception("Problemas ao validar o cliente !");
        }       
    }

    private static string Base64Decode(string base64EncodedData)
    {
        var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData);
        return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
    }
}

As you can see in the GetData method I get a clientToken that is converted and validated by returning an exception if the client does not exist.

I hope I have helped, although I did not have much information in the question.