Have Geek Brain

ASP.NET Web Service API Security

I have an iPhone application using ASP.NET web service for data. Since I am building both an ASP.NET end and a part of an iPhone application and we will publish it to the Appstore shortly, I would like to know what security checks I need to do.

The main flow of the program (without divulging too much information about it) looks like this:

... Login (enter username, go to app)
, Primary screen where data is loaded from web service and presented
, and send data after multiple updates by user

I am using POST to post data to a Webservice over HTTPS. I'm processing the input by checking the length of the input, but that's the limit of my knowledge regarding security. Any other advice is appreciated!

Edit: I should probably add that our service needs to be signed separately and the iPhone component cannot be used alone. Thus, the normal user does not have login credentials. And the app itself has health data, so I'd rather not try to attack from my login page.

Thank you,
Thea.

+2


a source to share


1 answer


There are a few things you need to learn. You control both the client and the server side, so you need to accept a number of mitigations. It sounds like you are taking the right approach, but you need to focus on the risks / threats and map them against them.

Examples:

  • Authentication is performed using a username and password. What could go wrong here? The main threats are the interception of credentials on the wire or the loss of a device (or access to it). They will expose the credentials to the attacker. If you are using SSL to encrypt wired traffic then it makes it difficult to sniff data on the network. But if you store credentials on the device, SSL does not protect you here. What you might consider is OAuth (delegated authentication), or keeping hashed versions of credentials with some kind of expiration. It is recommended to use the OAuth routeand avoid entering and storing credentials in your application. Instead, the device stores a "key" that is independent of the username and password. They can then log into the web app and revoke the app. Storing expired hashed credentials is not as secure, but may be easier to implement in the short term because OAuth requires changes on the server and clients.
  • Devices like iPhones can offer a layer of cryptography and protection against local attacks, but you should consider encrypting the data that is stored in your application. You should also keep the data to a minimum. This can be an implementation challenge, but you need to manage the tradeoffs with your users and management.


There are several out resources where you can read. Material for Android or other mobile platforms can also be useful to read.

Securing ASP.NET Web Services

Microsoft has published some guidance (and related WCF security ) in this area, but the main focus tends to be on the web services aspect. You need to consider a more comprehensive approach to security. Since the application is an ASP.NET application like any other, you should look at the ASP.NET security shared resources such as Starting ASP.NET Security and P&P Security Rules: ASP.NET . You can also do more search on StackOverflow.

+2


a source






More articles:


All Articles