Hi All, Im wrapping up my Iphone app. Im just worried about security at our web server level. The data is being pulled over to the iphone app via web services.
What security measures can i put on the web services so that I am not vulnerable?
Thanks
+4
A:
A few pointers:
- Verify all requests from the Web Service using RSA signed XML
- Make sure everything is transmitted over SSL
- Encrypt all data traffic. I recommend looking into the DUKPT key management system, using AES encryption.
- Use WCF - It is the latest standard after all (also this)
- Use some sort of web service authentication. This can be as simple as every request needing a username and password to be valid. This will slow down direct call attempts, and if you get the encryption right, you won't have to have the usernames and passwords in plain XML.
- The most important thing is make sure the server itself is secure. If someone cracks the server, you're dead in the water, nevermind what else you do.
EDIT:
Have a look at this question for iPhone to .NET AES Interoperability.
Kyle Rozendo
2010-08-17 20:03:30
Is there a standard encryption. I mean encrypting at the .net level at the server than decrypting in xcode at the apple iphone level? Hope this is not a stupid question.
Raven
2010-08-17 20:20:53
@Tricky - Basically you'll have to have a look. AES is a standard, so the iPhone should be able to support it.
Kyle Rozendo
2010-08-17 20:27:57
You're likely going to be limited by the iPhone side of things.
Steven Sudit
2010-08-17 20:35:53
Wow so you recommend implementing 2 forms of encryption and 2 forms of authentication but you make no mention of vulnerabilities like sql injection. I'm sorry but this post is over engineering fail.
Rook
2010-08-17 23:41:25
Where are you goin to put an AES key or RSA private key? You did not think this though before posting.
Rook
2010-08-17 23:49:18
@The Rook - He didn't mention SQL. He mentioned Web Services. RSA Signing and AES Encryption are two different things. Next, read about the DUKPT *key management* system (also, RSA only requires the public key for signature verification). I am also making suggestions, not giving full implementations. The above are all things to look into.
Kyle Rozendo
2010-08-18 05:33:30
@Kyle Rozendo Actually https can use AES and RSA, so then what does aes over https give you? DUKPT is cool, but its not going to stop an attacker who has jailbroken the device. "Complexity is the worst enemy of security." --Bruce Scheier.
Rook
2010-08-18 05:47:31
@Kyle Rozendo Also he is asking how to protect himself, and layering alike crypto systems on top of a vulnerable web app doesn't cut it in my mind.
Rook
2010-08-18 05:49:37
@The Rook - Now **that** I did not know about HTTPS. I still feel the most important part of security, is securing the server itself. Anything that can be jail-broken is threatening, no doubt, which is why I say the server needs to be secure. As I said, these are simply suggestions to look into. I however still stand my ground in regards to verification against data tampering using the RSA signature, regardless of the SSL. Apart from securing the app itself (which the above can help with), most "additions" are simply hurdles for a potential hacker to jump through if they're any good.
Kyle Rozendo
2010-08-18 07:30:09
@Kyle Rozendo I agree, you should secure the server its self. I just don't see how preventing tampering helps in the slightest. The attacker can view all of memory of the device at any moment, thus if any secret is used, like a private key then it must in plain text at the time of use and thus can be obtained by the attacker. In any client<->server model the server must only expose limited functionally, telling people otherwise is extremely damaging.
Rook
2010-08-18 09:02:32
@The Rook - Im not suggesting exposing anything more, and fully agree with this concept. The RSA antitamper at least allows the application to verify that the data came from the server, and is received as its meant to be. It's a one-way validation, as the client only needs the RSA Public key to verify the data from the server. This helps protect the client device. Also, if the SSL session is intercepted then the SSL encryption is rendered useless, which is a reason for still encrypting your data and not relying on the medium being used. I suppose I'm looking at a few client protection methods.
Kyle Rozendo
2010-08-18 09:22:33
@Kyle Rozendo I can't really argue with that too much, to be honest https does have problems. This blackhat talk is really good: http://www.thoughtcrime.org/software/sslstrip/
Rook
2010-08-18 09:24:19
@The Rook - Thanks, that's a nice site.
Kyle Rozendo
2010-08-18 13:49:28
A:
You can secure your services with normal HTTP Auth, SSL if you're not using the web service payload to implement authentication. Are you the server side programmer too?
Robin
2010-08-17 20:08:34
A:
It doesn't matter what you "put on" the WCF service if your WCF service is insecure. You must assume that an attacker can access your web service without the iPhone client. Is your web service vulnerable to sql injection? Are you exposing nasty functionality that could allow an attacker to read files on your server or to change another users account? Keep OWASP Injection flaws in mind. Use HTTPS to keep your clients safe from spilling information. The rest should be making sure the functionality you expose is safe.
An attacker will be able find any secret key or password you try and store in your iPhone binary or in memory. The attacker has more control over the iPhone than you do, he can jail break the device and then there is no place to hide.
Rook
2010-08-17 23:46:16