I want to secure api, used by react native app.
If authorisation header is sent user can read a request and access data so to avoid this I want to use SSL certificate for client and server.
Now if I place certificate in asests folder it will be accessible to the users whoever download the apk.
Is it possible for the user to get the client side certificate from asests. If yes how can it be avoided.
Related
I have a Flutter Application that makes HTTP requests to an API I've hosted on my server.
My API is behind a secure connection (with SSL certificate) and i want my App to make HTTPS requests so the connection is secure.
I've read in this answer https://stackoverflow.com/a/52359591/8199897 that i can provide the KEY and Certificate using SecurityContext.
My question is:
- Are those certificate and key files we reffere to inside SecurityContext the same we got when we created SSL certificate on server?
- And what if the certificate files expired and we had to renew them on server? how to use the new files? should we make an update to the App on the store?
I am looking for device authentication where
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
Each device will have a unique certificate that cannot be transferred to other devices.
A device certificate can be revoked anytime.
To achieve the above, I am planning to have another Service which would issue certificate to devices which is approved to use my service. I will issue the certificate via email to the user where he will install it manually. My users will use browser to access my service.
But I am not sure how would I achieve points 2 and 3.
Can you please guide as to how to achieve this using a self signed certificate?
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
You can use a SSL channel with client authentication or adding a digital signature to your messages
Each device will have a unique certificate that cannot be transferred to other devices.
it is not possible to ensure this using software certificates. If you distribute them by email, the user could install them in several devices.
You could use a hardware token (nfc/bluetooth) or preinstall the certificate in the Android/iOS KeyChain so it would not be extractable. but this complicates the distribution very much.
A device certificate can be revoked anytime.
Check revocation at server side before accepting a request from a client. There are standard protocols to do this ( OCSP, CRL), or use a custom mechanism since you issue them yourself
We've used javascript fetch API to connect to server which has self signed certificate, not issued by a trusted CA.
The scenario is that the user gets an option to enter custom server URL that will be changing based upon different customers(enterprises) as we've configured different servers for different customers in their infrastructure for our B2B Android App.
I did a lot of research but didn't find a way in react native android to trust them programmatically in javascript or native module.
I have installed a SSL certificate (comodo PositiveSSL) for my domain and forced NGINX to only use HTTPS.
I run the test on SSL analyzer
https://sslanalyzer.comodoca.com/?url=domain.com
Validation Type Domain Validated (DV)
Trusted by Microsoft? Yes
Trusted by Mozilla? Yes
We have our mobile app for Android and IOS getting some data from our https://example.com/api webservices.
So i have installed Packet Capture mobile app on my android to verify whether the data transferred between the webservice api and our mobile app is secured.
First i tried with enabling the following in Packet capture mobile app :-
I have contacted comodo ssl support, they said
that the certificate is installed well and its working fine. There is
nothing wrong with the certificate and installation process and the
web-site https://example.com/ is also completely secured with Green Pad
lock on it.
I run the same test on instagram app, when open instagram , showing network error. Like instagram discovering by some way that i am trying to capture a network packets so their app network will be disabled.
I want to do the same way of what instagram did .
Please Advice.
Don't worry, if your certificate is valid and contains the right domain name then you've already done everything needed.
A "man in the middle attack" is an attack done on the client.
The client think the attacker is the website by compromising his DNS
Then the attacker relay in and out traffic from/to the real server.
The server is secure but not the client.
Like RamKumar said the client need to trust the attacker certificate like you did
EDIT:
You can also use TLS with mutual authentication (mTLS).
With this protocol the client AND the server exchange certificate public keys.
It work as follow:
A client requests access to a protected resource.
The server presents its certificate to the client.
The client verifies the server’s certificate.
If successful, the client sends its certificate to the server.
The server verifies the client’s credentials.
If successful, the server grants access to the protected resource requested by the client.
Some sample:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/october/mutual-authentication-in-android-and-ios/
With this protocol the man in the middle attack is still possible but the attacker's certificates need to be trusted by both client and server
Another custom approach would be to add another layer of encryption using asymetric cipher.
To remove that possibility you can use Certificate Pinning to make sure that only the specific Certificate you use can be used to prevent the device from using any other Certificate, even if it was signed from a trusted CA. This may still be circumvented by a user, but now he has to modify the application itself in order to disable the check, or change the pinned certificate
Have a look at how Certificate Authority (CA) works. In your case, what happens is that the Packet capture mobile app installs it's own CA. Now Packet capture becomes a trusted CA for your device and certificates signed by them are accepted. Then this app creates its own certificate saying example.com and signs it.
So when it performs man in the middle attack, the client (your app) communicates with Packet capture and not example.com, but your app believes it's communicating with the example.com, since the certificate provided by Packet capture is signed by a trusted CA (Packet capture CA itself).
Hence this works only when your install their CA. However a secured connection is made between Packet capture and example.com
A stupid question, as I have a bad head for HTTPS and SSLs.
The question is simple. As I've read at Apple APNS guide, there is required a SSL certificate. Should this certificate be linked only with my App ID or it should somehow represent my server to the WEB?
In other words: is it possible to set up the push-server over the HTTP, or it should be HTTPS only?
SSL certificate is needed to verify/identify the sender and the app where push will be send to.
From article Certificate-Based Provider-to-APNs Trust
A certificate-based provider connection is valid for delivery to one specific app, identified by the topic (the app bundle ID) specified in the provider certificate (which you must have previously created, as explained in “Generate a universal APNs client SSL certificate” in Xcode Help)
To answer on your question:
Should this certificate be linked only with my App ID or it should somehow represent my server to the WEB?
It have to be linked with your app id. And it is used to setup secure connection between your server(PN provider) and Apple Push Notifications server (for sending request from server to APNS)