I have installed Ejabberd in our AWS Server
We are developing an iOS messenger app and we don't want other clients to access our messaging server other than our iOS app.
All the ejabberd services should be accessible only by our iOS app,
To register
To login
To send message and use any other service.
What are all the configurations and settings should I have to do to secure our server?
There is no 100% way to disable other clients from mimicking your own client. You may use different protocol, or one more layer of encryption or special marks that allow your server use to make sure that client is yours. But if someone will have desire to write his own client, he'll use your own client to understand what should be sent on the wire.
XMPP is build on the top of TCP so there is no good way of restricting access to the server socket. If you want to be compliant with XMPP you need to use encryption, otherwise use your own custom protocol (like Skype).
Related
I want to put some temperature data to thingsboard cloud platform via coap. However, the example code only support "coaps://...." format. Once I put "coap://coap.thingsboard.cloud/api/v1/$ACCESS_TOKEN/telemetry" format, it gives me "incorrect protocol in server uri". What is the difference between coaps and coap? Is it related with the website address? How to use coaps to connect device to thingsboard?
"coap:" is coap send plain / unencrypted directly over UDP
"coaps:" is coap send encrypted using DTLS over UDP
If you use "coaps:" your device must support DTLS and in the most cases you need valid credentials (PSK, RawPublicKey, or x509) in order to connect. In some cases, the client is anonymous on the dtls level, and authenticates itself then on the coap layer (custom token or similar).
it's pretty much the same as "http:" and "https:", even the anyonymous client and the authentication on http level.
I am trying to implement an HTTP server inside an iOS app. I could see similar apps in the app store. But in my case, embedded HTTP server has to communicate with external HTTPS Server. So now,
is the communication secured? Or do I need to implement HTTPS server, instead?
Is it possible to implement an HTTPS server in iOS app?
Will Apple reject this approach?
Thanks in Advance
I'm assuming that you use the internal HTTP server to provide interceped content for a WKWebView. I this case you web view connects to the HTTP server over HTTP and this connection is insecure. But generally this shouldn't be an issue because nobody can intercept the connection. You HTTP server connects to the internet over HTTPS, and this should be done because this connection could be compromised.
Don't be confused about the different protocols. If you call a HTTPS-URL NSURLSession will use HTTPS and use a secured connection. There is no pitfall or issue. You needn't to support HTTPS for the web view to server connection. This will give you not more notable security.
I use a similar setup in my application and it works perfectly.
BTW: In iOS 11 you may use WKURLSchemeHandler to intercept web view requests. This should be much easier than a local HTTP server. The disadvantage is, that you have to define a custom protocol (e.g. xhttp instead of http), and rewrite the URLs in the web content. But this should be much easier to achieve than a local HTTP server.
I am working on some app which as API call. while i add proxy in mobile and see response in web debugging tools. I can see my api call parameters and response too.
while in others app I cant see this things and it is secured.
how can i acheive this?
Pictures said your API is using non-secure HTTP protocol while others app using HTTPS. The Web API should be performed via HTTPS protocol. HTTPS using SSL/TLS as secure transport layer, it means all data are encrypted before they're online. So, we don't care about any kinds of proxy
I want to create a iOS app, and I am starting to design a api using node.js+mongodb+express. I know people can use charles to set up a proxy and when user open the app in the iphone device, they can see the api requests in charles app. So people can use this api to do some harm to the app services or what. I want to secure my api. I won't open my api to others. So, I don't need oauth. What else I can do to secure my api? And if any tutorial is provided, that will be good.
Do it with https, just make sure your app stops working if the certificate is invalid.
Alternative:
Crypt/decrypt your http(s)-body before sending/after receiving with a global password (not recommended) or a public key on your phone and a private key on your application.
If someone gets that pw or public key, they can still manipulate the API.
What you want to do is use https with additional security.
First: In the app "pin" the server certificate, that is validate the server certificate in the app, this is quite common these days. AFNetworking supports this.
Second: Add a certificate to the app and verify it on the server. Now the server knows it is communication with your app.
Now both the server and app have assurance they are communication with authenticated end points.
I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.