SSL Connection with Simple Signature Android
  • Hi karim,

    You have mentioned in your Documentation that It is highly recommended to use SSL connection when using a simple signature to avoid data interception and replay attacks..
    My question is how to do this, I mean is there any keystore for your servers that I can add to the SSL Connection?

    Thank you
  • Hi nour,

    I am not sure to understand your question as prefixing the URL of your requests to Apstrata with "https" instead of "http" should be enough. Could you please elaborate?

    Karim
  • I mean when you create HttpClient in java how you secure the HttpConnection, using SSL true?

    my question are you allowing all issuers to send the request?are you trusting all networks in your android SDK.
  • Yes we secure all connections using SSL and yes we are allowing all issuers to send the request.
    Do you have a specific need?
  • I just wanted to know, but is this a secure way to trust all issuers?
  • As you know, requests sent to Apstrata applications have to be authenticated (using the signature) before reaching the back-end, and you can further apply permissions on what the authenticated caller can do within the application. 

    As for browser-based (or similar) scenarios with authentication tokens, Apstrata is configured by default to bind requests to referrers. 

    So on the back-end, we got the situation covered and we guarantee the security of your app. with no connection to the caller's certificate.

    Are you worried of what developers could do from within the client side of the application (i.e the part that is using the Apstrata back-end) ?
  • thank you Karim for clarification, 
    1 more question in case of Sign up and using the Anonymous Connection, no worries for a middle man attack or any security gap true?
  • You're welcome.

    The short answer to your question is "true" ;)

    Anonymous connections - i.e unsigned requests - can only be made to invoke Apstrata scriptsor saved queries that clearly specify that they accept unsigned requests, i.e. unauthenticated calls (this is done by setting their "execute" ACL to "anonymous"). There are a few cases when you want to do that such as, as you mention, sign-up (registration) scripts. 

    However, this does not mean that the caller will have access to all the back-end since the developer should make sure to control what is done inside his script

    In the case of sign-up scripts, the worst that can happen is to register fake users (who do not have access to other users' data), although this can be resolved by implementing a two-steps registration process (e.g. first, set the user's suspended field to true, then send a pin code + temporary auth token to the end user, or a confirmation link signed with a temporary auth token. The pin code / link could be used to invoke a secured script that will switch the user's suspended field to false)

    Hope this helps

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!