ASP.NET webservice API security.

Question

Hi,

I have an iPhone app accessing an ASP.NET Webservice for data. Since I'm building both the ASP.NET end and the iPhone part of the app, and we'll shortly be publishing it in the Appstore, I'd like to know what security checks I need to make.

The basic flow of the program (without divulging too much info about it) is as follows -

. Login (Enter Username, pass on the app)
. Primary screen where the data is loaded from a webservice and presented
. And post data back after a few updates by the user

I'm using POST to send the data to the Webservice via HTTPS. I'm sanitizing the inputs, checking for length of the inputs, but that's the limit of my knowledge as far as security goes. Any other tips are greatly appreciated!

Edit: I should probably add that our service needs to be subscribed to separately and the iPhone component of it cannot be used alone. So the average user will not have login credentials. And the app itself has healthcare data in it, so I'd rather not have anyone trying attacks from my login page.

Thanks,
Teja.

Answer 1

There are number of things you need to look into. You control both the client and the server side so you have to take a range of mitigations. It seems like you are taking the right approach but you need to focus on the risks/threats and map a mitigation to these.

Examples:

1. Authentication is done using a user name and password. What can go wrong here? The main threats appear to be interception of credentials on the wire, or loss of the device (or access to it). These would expose credentials to an attacker. If you use SSL to encrypt the wire traffic then it makes it difficult to sniff these on the network. But if you store the credentials on a device SSL does not protect you here. What you may want to consider are OAuth (delegated authentication) or storing hashed versions of the credentials with some sort of expiry. The OAuth route would be recommended and avoids a user entering and storing the credentials in your application. Instead the device stores a "key" which is independent of their user name and password. They can then log onto a web application and revoke the application. Storing hashed credentials with an expiry is not as secure but might be easier to implement in the short term as OAuth requires server and client changes.
2. Devices like the iPhone may offer a level of cryptography and protection from local attacks but you should consider encrypting data which is stored by your application. You should also keep the amount of data stored to a minimum. This can be a challenge to implement but you need to manage the trade-offs with your users and management.

There are some resources out there which you may want to read. Material for Android or other mobile platforms may be useful reading too.

Securing the ASP.NET Web Services

Microsoft have published some guidance (and related WCF security) in this area but the focus tends to be on the web services aspect. You need to consider a more comprehensive approach to the security. Since the application is an ASP.NET application like any other, you should look to general ASP.NET security resources like Beginning ASP.NET Security and P&P Security Guidelines: ASP.NET. You might also want to do some more searching on StackOverflow.