I'm integrating Roku into our multi platform app with paid subscriptions model so webhooks/push notifications are crucial for business to know when subscription being renewed, cancelled etc. I came across Roku Push Notifications documentation which seems to have big security concerns or I'm missing the point:
Roku sends data down to our push notification url without any validation (e.g. like Stripe signature check does). So how do I know the data came from Roku and I can trust it?
They require to respond with our private API KEY(!) in the header... Does it mean that we can potentially expose it to anyone who found what the url is?
Not really a security concern but more of a business safety issue that they can stop sending push notifications without any notice if the endpoint fails consecutively which could lead to big problems again.
I would appreciate any advice on how to use Roku push notifications securely and if my concerns are valid at all.
Related
We want to write an react native app that:
-gets data over bluetooth from devices
-the app should send the data to our api
-it's important that the data is not tempered with or changed in any way
-the app is the only one that can send data to our api
I already read a lot about:
iOS - Keychain Services and
Android - Keystore
on the React Native docs: https://reactnative.dev/docs/security
And SafeNet(Android) or DevieCheck(IOS) (never mentioned on react native docs or articles I read)
What security layers should we use for our use case to make the api most secure and how can I implement them in react native?
We want to use the data from the api to verify the correctness of the same data passed to a smart contract that compares and evaluates them.
YOUR PROBLEM
We want to use the data from the api to verify the correctness of the same data passed to a smart contract that compares and evaluates them.
I congratulate you by having taken the time to understand that the API sitting in front of a blockchain needs to be protected against abuse in order to prevent the blockchain from ingesting unwanted data.
Defending an API it's not an easy task, but if you read carefully all I am about to say I hope that by the end you will have a new perspective on API and Mobile security, that will allow you to devise and architect a robust and secure solution.
WHO IS IN THE REQUEST VERSUS WHAT IS MAKING THE REQUEST
-the app is the only one that can send data to our api
This is a very hard problem to solve, but not an impossible one. To understand why you need to first know the difference between who is in the request and what is making it, otherwise any security you add may not be protecting your API as expected.
The Difference Between WHO and WHAT is Accessing the API Server
I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So, think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
DATA INTEGRITY
-gets data over bluetooth from devices
-the app should send the data to our api
-it's important that the data is not tempered with or changed in any way
This is also very hard to solve. During the process of collecting the data and sending it to the API the data can be tampered with in several ways.
Manipulate Data with an Instrumentation Framework
-gets data over bluetooth from devices
While the data is being collected form the devices an instrumentation framework can be used to manipulate the data before sending it to the API. A popular instrumentation framework is Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
So, the attacker would inject a script to listen at runtime to the method that collects the data or to the one that sends the data to the API and then tamper with the data its being sent.
the app should send the data to our api
Manipulating Data with a MitM Attack
Another alternative is for the attacker to also use Frida to perform a MitM attack to allow a tool like mitmproxy to intercept and modify the request. You can learn how to perform a MitM attack with Frida by reading my article How to Bypass Certificate Pinning with Frida on an Android App:
Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.
The injection of Frida scripts at runtime allows for almost unlimited possibilities in how to tamper with your data integrity or whatever the mobile app is doing at runtime.
POSSIBLE SOLUTIONS
Secure Storage
I already read a lot about:
iOS - Keychain Services and
Android - Keystore
on the React Native docs: https://reactnative.dev/docs/security
Using this mechanism is recommended, but you need to be aware that anything that is stored in secure storage will need to be accessed and used by the mobile app at some point, and this is when the attacker can use an instrumentation framework to hook at runtime into the mobile app code. For example, when retrieving a securely stored secret the attacker can extract it to use outside of the mobile app to automate API requests as if they were from the mobile app.
So, use it to make it harder for less skilled attackers to tamper with your mobile app, but always remember that more skilled attackers may find their way around it.
Protecting Data Integrity in the Mobile App
-it's important that the data is not tempered with or changed in any way
To protecting data from being tampered with before it arrives to the API server it's necessary that you employ some solutions, like RASP:
Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.
The issue of using only RASP is that the API server doesn't have visibility for the ongoing attacks on the mobile app, therefore not able to refuse requests from a mobile app under attack. Also, RASP can be bypassed by skilled attackers with the use of instrumentations frameworks, and the API server will not be aware of this happening, therefore will continue to serve requests, because it doesn't have a mechanism to know that what is making the request is indeed a genuine and un-tampered version of your mobile app.
Defending the API Server
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
One of the solutions proposed is to use a Mobile App Attestation solution that runs outside the mobile device, for example on the cloud, therefore doesn't make client side decisions about the state of the mobile app and device is running on, instead they are done in the cloud service and transmitted to the API server as signed JWT token, that the API server can then used to verify that what is making the request is indeed the genuine and un-tampered version of the official mobile app.
Android Safetynet and iOS Devicecheck
And SafeNet(Android) or DevieCheck(IOS) (never mentioned on react native docs or articles I read)
Using the Android SafetyNet and iOS DeviceCheck runtime protections is for sure a good starting point, but you need to be aware of their scope, limitations and complexity. They can be complemented with a robust Mobile App Attestation solution to give you an higher level of security and confidence that your API server will be able to know when the request is not from what it expects, a genuine and un-tampered version of your mobile app.
Security Layers
What security layers should we use for our use case to make the api most secure and how can I implement them in react native?
I would not be approaching here how to implement it in React, because that is a huge topic and the exact code will depend on your current implementation, but I will summarize here the key points.
Security is always about adding as many layers as you can afford and are required by law, standards and business requirements. To summarize you should consider the following topics:
Don't hardcode secrets in your mobile app code, but if you really want to do it, at least use Native C code.
Obfuscate your mobile app code, because this will make it harder to reverse engineer the mobile app code in order to use instrumentations frameworks.
Use runtime protections in your mobile app code and give preference to the ones that don't make decisions on the client side and allow for the API server to verify that the request is indeed from what it expects, a genuine and un-tampered version of your mobile app, like describe in the Mobile App Attestation I mentioned previously.
Use certificate pinning to the public key to prevent MitM attacks, but wit h the awareness that it can be bypassed. I recommend you to read the section Preventing MitM Attacks in this answer I gave to another question where you will learn how to implement static certificate pinning. If you can, try to use instead dynamic certificate pinning to allow to remotely update the pins used by your mobile app.
In your API server you can use rate limiting but do not give back in the headers the info about the rate limit available, because that is like putting the key to your front door under the mat.
You can use Artificial Intelligence solutions, but be aware that they work in a negative identification model and are prone to false negatives and positives. If using a mobile app runtime protection that lets the API server know when is under attack then the use of AI solutions can be postponed until the API server needs to use other type of clients, like web apps.
This is not an exclusive list of topics you can consider to use in order to secure your mobile app and API server, but are the ones I think that more important for you to focus on.
DO YOU WANT TO GO THE EXTRA MILE?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
I am building the backend for our company's mobile app and we need to send notifications to users from API based on some events. I need some advice on how I can implement this. I am looking for a platform where I can send notifications for both IOS and Android. I recently came across Firebase and got some info that the mobile-app will send a device token to the server, then we will handle the push notification using this token. My assumption here is, I need to save this device token for all the users in a database and send the notification as necessary. Is this the best approach or are there any other good approaches for this? I am pretty sure there will a lot of solutions where I do not have to handle this myself (in database)
I was also looking into Azure Notification Hub for this, but the cons I felt here is that my UI guy (outsourced) is developing the application in React Native and I have not seen any good examples of React Native using Azure Notification Hub.
I am expecting around 1000 users for my application and I am developing my backend in ASP.NET WebAPI. Mostly I will have 2 types of notification
Push notification to specific user.
Push Notification regarding new installations to all the users
Well, according to my experience the best way and the easiest way is using firebase. You will have a lots of option there. In fact according to their comment, whether you're a beginner, intermediate or advanced React Native developer you can be up and running with React Native Firebase in no time.
https://www.npmjs.com/package/react-native-firebase
For more information and adding a project:
https://rnfirebase.io
Firebase getting start:
https://github.com/invertase/react-native-firebase-starter
How does it work?
Firebase Cloud Messaging architecture diagram
An FCM implementation includes two main components for sending and receiving:
A trusted environment such as Cloud Functions for Firebase or an app server on which to build, target, and send messages.
An iOS, Android, or web (JavaScript) client app that receives messages.
You can send messages via the Admin SDK or the HTTP and XMPP APIs. For testing or for sending marketing or engagement messages with powerful built-in targeting and analytics, you can also use the Notifications composer.
last comment copy-right: https://firebase.google.com/docs/cloud-messaging/
I have few things to be clarified in BlackBerry push client applications. I have developed an push-enabled application which can receive push messages from the sample push initiator application installed on a publicly accessible location (through BIS). I have now run into a question about sending personalized messages to each device. For that matter I need to use subscription API that comes with BlackBerry push SDK. This question is similar to what has been posted here, but it contains no information for me. My questions are,
I used the registration API for BlackBerry client app registration to receive push messages from PPG. It requires only app-ID, device-port and push URL(not push initiator URL). Client app registers itself when the application UI starts up(this is how I register with push API). Is this all I need to do to get a subscription for that client with push initiator or does client need to contact push initiator directly for a subscription?
Why do I need to provide subscribe/unsubscribe URLs in the push initiator application (I don't provide any unsubscribe/subscribe facility in the client push application ) or is there a way to achieve this through application manager/operating system? or do I need to get unsubscribed users from the PushResult object and process them?
How does push initiator come to know about clients initially when there is no mechanism for the push client to subscribe with push initiator?
Is there a blog post or tutorial describing each and every step involved in the entire communication process apart from the documentation materials provided by RIM?
Currently I am using Push Essentials but might migrate to Push Plus service later(in the distance future).
Kindly appreciate your quick response.
Ok, so there are 2 things to keep in mind:
1) The BlackBerry Infrastructure (Push Proxy Gateway or PPG) needs to have your device listed as subscribed for your specific application ID in order for pushes to be delivered to your device. Subscribing from the device registers it with the PPG and tells the PPG "I would like to allow pushes from this App ID to be delivered to me". If your device is not subscribed to the PPG then your pushes from the initiator will be sent, accepted by the PPG but never allowed to be delivered to the target device.
2) Even if the device is registered with the PPG, how does your server sending the pushes keep track of what devices are registered? This is done by registering with the Push Initiator. The client sample application included with the Push SDK has a mechanism to show how this can be done. As well the server sample is set to receive these requests and add the client to the database so that it can be included for future pushes.
With all that in mind what happens if:
1) The user un-installs the application
2) The user switches devices
In the above cases there needs to be a mechanism to de-register the device from receiving pushes both from the PPG and from your server Push Initiator. Again the client sample application shows how this can be done.
I'm working on a Windows Phone 7 application, and to go with it I will need a web service to send out live tile push notifications. I will save the clients URI channel in a database and every hour or so I will send out the correct live tile to all the subscribed clients. I will not be sending out any sensitive data to the clients, nor do the clients send any data to the service save for their channel URI, and I've made sure to protect the database against any sql-injections.
The exposed methods are for registering and unregistering a client, as well as sending the correct live tile to a client that requests it.
Given this information, does anyone have any recommendations on how I should secure the service, or is security even needed to begin with in this case?
Thanks!
EDIT:
Thanks for the answers! My peers decided to not use any security at all though, other than purging faulty requests from the database, since the scope of the application is quite limited and no sensitive data is being transmitted. Let's hope it won't bite us in our behinds later on, eh!
Unfortunately the best solution to this problem (at the moment) is to generate a hash in your app and use that to verify the data is really coming from your app. Obviously you'll need to obfuscate tyour code if doing this.
This is the best you can do without any authentication against the backend.
If you can, have the users register and authenticate with the backend and then tie this authentication token to the ANID of the device and do everything over SSL.
Unfortunately, currenlty, security of services and prevention of spoffed requests is quite tricky with WP7 without requiring a login to the backend.
Make sure you secure your channel to your backend service with SSL. This way the data you send to the server such as a the ChannelUri will be secure.
Building a hash into your application isnt security. People could get your XAP and decompile it to get the hash.
IMHO you are better to ensure your ChannelUri (unique to your app and not "stored" in your XAP anywhere) is secured when you send it.
On the backend just make sure you purge records that fail when you try and send it a tile notification. This will get rid of any records entered by non-phone parties.
Bottom line is that you need a login infrastructure with your backend to properly ensure only valid users are using your service.
i want to know that when we want to use push notification service.From where we send json payload, from our app or it may be generated on server? if it has to be sent from our app then how do we send json payload+device token to our own web server?
It can't be sent from your app. First off that would make no sense, if your app is running why would you have it send a push notification to itself.
Second, in order to communicate with the APNS servers you need a per app cert file to sign requests. You cannot distribute it without compromising the security of your applications push service.
Louis is absolutely right that you can't send messages from your phone, and his reasons are spot on. You'll definitely need to communicate to your own server, which will then send things on to Apple.
To send messages to your own server, look at ASIHTTPRequest - it's a fantastic package that makes it really easy to send HTTP requests.
On your server, you'll need to keep open a persistent connection to Apple's push service from your own servers and translate the JSON from the phone into a message to deliver to Apple.
There are at least two services out there that take care of the heavy lifting for you:
Urban Airship (full disclaimer, I work at Urban Airship)
iLime
You might want to look at one of these services to help you implement this. Again, I work at one, so take this with a huge grain of salt.
If you want to see some examples of how to use ASIHTTPRequest to send a device token to a server, you can look at our push sample application on bitbucket.