I'm building a web app that needs to be able to immediately receive messages from the server (kind of an instant message chat).
I noticed Facebook and GMail have messaging in a browser and do not require any browser plug-in for that.
What do they use?
I know websockets doesn't work when relying through a proxy?
Is there another good method?
Related
We need some async workers for some 1-2 min tasks and then provide the user feedback from this tasks.
The idea would be to use the rabbitmq mqtt websocket plugin and provide the user feedback when the calculations done directly in the browser.
For our "old" stack we have some api endpoints as a layer between the user (browser) and rabbitmq services which more or less act as fire and forget.
As mentioned, we now need to provide feedback where we thought it would be create to user websockets (rabbitmq mqtt plugin).
But we are wondering how do we secure the exposed websocket endpoint for each user? Currently its not a problem as we have an amqps clients with X.509.
Our new features need has public access so we can not auth the user beforehand.
Is there a way to directly and securly use the exposed endpoint or do we need a layer in between as we have now?
The RabbitMQ Web MQTT plugin supports TLS. You can then use a username / password to authenticate the user, or use client certificates.
If you need public access then there is no way to secure the endpoint. This applies to all MQTT brokers, not just RabbitMQ.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
If you use a plugable authentication source (sorry, not familiar with what RabbitMQ offers here) e.g. that stores user/password in a database. Then you can generate a short lived set of credentials for each session and the webpage can request these from the server via a REST API and then use these to authenticate the MQTT connection over WebSockets.
This means that credentials are only exposed as variables for a short time as temporary variables in the browser, which can be revoked easily as soon as the web session/actions are complete
If voiceprint verification happens locally in a mobile app, how would you let the server securely know that the user is verified? I thought about using an API key of sorts, maybe generating a random string and distributing that with the app. So when the user's voice is verified locally, it will tell the server. And because the request included the API key, the server will trust the request and respond with a login token.
That solution is not very convincing though. Is there a way to login using voiceprint when verification happens inside an app?
API SERVER CANNOT TRUST IN REQUESTS
And because the request included the API key, the server will trust the request and respond with a login token.
The API server cannot trust in any request they receive based only in an API key, because they are so easy to extract from a mobile app with reverse engineering tools we can find in the open source community.
In order to better understanding why we cannot blindly trust in requests arriving to the API server we need to understand 2 concepts, WHO and WHAT is communicating with the API server.
WHO AND WHAT IS ACCESSING THE API SERVER
The WHO is the user of the mobile app that you can authenticate,authorize and identify in several ways, like using OpenID, OAUTH2 flows or the VoicePrint.
But before you know the WHO you need a way to identify WHAT is calling your API server and here things become more tricky than most developers may think. The WHAT is the thing making the request to the API server, is it really your genuine mobile app or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
Well to identify the WHAT developers tend to resort to an API key that usually they hard-code in the code of their mobile app and some go the extra mile and compute it at run-time in the mobile app, thus becomes a dynamic secret in opposition to the former approach that is a static secret embedded in the code.
REVERSE ENGINEERING A MOBILE APP BINARY IS EASY
I thought about using an API key of sorts, maybe generating a random string and distributing that with the app.
The truth is that anything running in the client side can be reverse engineered
easily by an attacker on a device he controls. He will use introspection frameworks like Frida or xPosed to intercept at runtime the running code of the mobile app or will use a proxy tool like MiTM Proxy for watching the communications between the mobile app and the API server. Normally their first step in reverse engineer a mobile app will be to use the Mobile Security Framework to reverse engineer the binary of you mobile app to extract all static secrets, aka the API key, and to identify other attack vectors.
If voiceprint verification happens locally in a mobile app, how would you let the server securely know that the user is verified?
So doing this verification in the client side opens the vector attack of using XPosed, Frida or even MobSF at runtime for tampering with the results of voice verification.
Remember that users in order to get free Wi-Fi can be tricked to install malware apps or custom ssl certificates, that will allow an attacker to introspect, intercept and modify the decisions being made on the device and manipulating the data being sent over the wire to the API server, by other words they are able to bypass the voiceprint recognition results.
Mobile Security Framework
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
Frida
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
xPosed
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That's great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It's also easy to undo.
MiTM Proxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
A POSSIBLE SOLUTION
So anything that runs on the client side and that uses some secret to access an API server can be abused, and you can learn more on this series of articles about Mobile API Security Techniques. This articles will teach you how API Keys, User Access Tokens, HMAC and TLS Pinning can be used to protect the API and how they can be bypassed.
That solution is not very convincing though.
To solve the problem of WHAT is accessing your mobile app you need to use one or all the solutions mentioned in the series of articles about Mobile API Security Techniques that I mentioned above and accepted that they can only make unauthorized access to your API server harder to bypass but not impossible. This means that while harder is still possible to bypass the voiceprint recognition result.
Is there a way to login using voiceprint when verification happens inside an app?
As I already mentioned previously any decisions made on the device can be tampered with at run-time, thus having the mobile communicating with the API server to login the user based on that decision needs to take in account that it can be manipulated to bypass the voiceprint recognition.
Just to be clear the bypass can happen on the device itself by manipulating at runtime the returned result of the voiceprint verification to be always true or by intercepting the communication with the API server and change the result of the voiceprint recognition to be always true.
From your comments in the question:
It has to be made on the device. We avoid sending voice data to the server for the user's privacy. If someone can steal your password you can just change it. But you can't exactly do the same for your voice.
Now that you know that at runtime the voiceprint recognition can be tampered with, the malware doing it can also extract the results and send them back to the attacker, thus compromising is voice fingerprint, that as you correctly said the user cannot change.
Not convinced yet, please give it a read Biometrics could replace our passwords —
and there’s actually a big problem with that where you can read for example:
But a biometrics breach has even more serious implications. If someone gets ahold of your fingerprints, he can possibly steal your identity.
To help with communicating the voiceprint recognition results to the API server, a Mobile App Attestation solution can be employed. It will enable the API server to know is receiving only requests from a genuine mobile app that is not running in a root or jail broken device, attached to introspection frameworks or in debug mode.
Mobile App Attestation
Use a Mobile App Attestation solution to enable the API server to know WHAT is sending the requests, thus enabling it to only respond to requests from a genuine mobile app.
The role of a Mobile App Attestation service is to guarantee at run-time that your mobile app was not tampered or is not running in a rooted device by running a SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and device is running on.
On successful attestation of the mobile app integrity a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud are aware. In the case of failure on the mobile app attestation the JWT token is signed with a secret that the API server does not know.
Now the App must sent with every API call the JWT token in the headers of the request. This will allow the API server to only serve requests when it can verify the signature and expiration time in the JWT token and refuse them when it fails the verification.
Once the secret used by the Mobile App Attestation service is not known by the mobile app, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack.
the server will trust the request and respond with a login token.
So with this solution in place the API server can trust in the mobile app request saying that the voiceprint recognition is valid, thus it can issue a user authentication token to be used in subsequent communications with the API server.
The Mobile App Attestation service already exists as a SAAS solution at Approov(I work here) that provides SDKs for several platforms, including iOS, Android, React Native and others. The integration will also need a small check in the API server code to verify the JWT token issued by the cloud service. This check is necessary for the API server to be able to decide what requests to serve and what ones to deny.
I have an API set up on my server (node.js) which potential clients can send request to. One such client would like for me to set up a structure where they would pay only for the amount of their users who would connect to my API. They are creating a mobile application. Regardless mobile or web, I'm not sure how I would be able to track their individual users, to make sure it is their users who are sending requests to my server and not the client himself. The client can make one request and send to 1000 of their users instead of 1000 of the client's users directly connecting to my server.
The only feasible solution I can think of is creating a plugin which they would insert into their app and it would connect directly to our server, bypassing the client's server. Something like a Facebook Share/Like, Google +1 button. Creating the plugin would require to create the entire request and dynamic layout in each platform language, which is outside my scope at the moment.
Is there any way to have the end-users connect directly to my server through the client's app, bypassing the client in the middle, allowing me to know how many users will be connecting?
I'd like to create a simple CRUD application using web sockets, with a Java EE 7 Websocket Server, running on Glassfish 4, communicating with a single page website. My question is: how can I secure my application? In other words: how can I perform user Authentication and Authorization? Because there are a few messages that I would like the Server to reply to only after authentication and authorization of the requesting user. Last but not least: how can I provide a "remember me" function? Thank you.
A practical method is for the user to login via your Web page, setting a cookie from your Web app upon successful authentication, and check that cookie in your WebSocket server on the incoming WebSocket connection from the page.
This will require to have the Web page and the WebSocket served from the same origin (otherwise the browser won't send the cookie on the WebSocket connection).
Another possibility is to implement a custom authentication mechanism via messages on top of the WebSocket connection.
Another possibility is to use TLS and client-certificate based authentication.
Note that though WebSocket has a HTTP based initial opening handshake and you can in principle use any HTTP authentication mechanism, there are practical restrictions. E.g. with HTTP basic authentication, browsers will render login dialogs for plain HTML page requests, but not for so-called subresources, like requests for images .. and WebSocket (which also counts as a subresources).
Servicestack is awesome. I'm using it for my Xamarin projects (monotouch and monodroid).
Users login and authorised by ServiceStack. The session details are kept in memory i.e. userId, Ipaddress, etc.
But what would be the best way to add websocket functionality so I could push notifications to these users?
Or would it be better to just leave a regular websocket open on the client and have a small websocket server somehow read the session data (user Ipaddress) from ServiceStack in order to relay bespoke messages to client?
As an alternative to Web Sockets ServiceStack supports Server Sent Events for real-time event notifications. All the Chat Apps in the Live Demos utilizes Server Events for its real-time communication.
But it doesn't include any support for Web Sockets itself, although here's an example of using ServiceStack and SignalR in the same project.