I am developing a javame application that connects to a web server which has verisign certificate installed.
Is there a way to implement https connection to connect this server? If bouncycastle is the way, is there any example?
You do not need to bother because:
"MIDP 2.0 adds a robust end-to-end security model, built on open standards, that protects the network, applications and mobile information devices. MIDP 2.0 supports HTTPS and leverages existing standards such as SSL and WTLS to enable the transmission of encrypted data."
From http://www.oracle.com/technetwork/java/whatsnew-138562.html#endtoend
Also, see this nice video on how SSL works: http://www.youtube.com/watch?v=SJJmoDZ3il8
Related
A client of mine has a bunch of APIs in CloudHub that communicate with two APIs on premise in their runtime. The question I get asked, to which I don't really know the answer, is how to secure the communication between the APIs on CloudHub and on premise without using API Manager (since the client preferred not to pay for it) ? I thought of a middleware (middleware inception) that hashes the messages from one end to another, is this a viable idea? What could the best answer be?
The server applications should implement some basic security best practices like authentication and encryption.
Having applications deployed in any cloud environment without security is a big security risk. I assume that there is a secure link between the CloudHub environment and their on premise environment, like a VPN, but even so this architecture would not probably pass a security audit.
They should implement authentication using HTTP Basic authentication or OAuth 2. These are the most common authentication schemas used for REST APIs. Note that credentials go in clear text so they should also implement encryption.
To encrypt the traffic the server applications should use TLS, ie HTTPS connections instead of plain HTTP.
Optionally you could also implement mutual TLS authentication, requiring the client to have a valid certificate that the HTTPS server validates.
Hashing message could be an additional level of security, but that implies changing the applications logic to implement some custom security. The effort should be better put into implementing standard security practices as mentioned. If after that you want to add it feel free to do so.
You have not shared details of the technology of the on prem applications. Mule applications can implement both the client and server side of any of these methods. Read the documentation for details:
https://docs.mulesoft.com/http-connector/1.7/http-authentication
https://docs.mulesoft.com/mule-runtime/4.4/tls-configuration
https://help.mulesoft.com/s/article/Tutorial-how-to-create-a-simple-Mule-4-http-basic-authentication-application
I have created web connector compatible service and deployed it to cloud. For security, I am planning to do 2-way SSL that includes client authentication i.e. the web connector will provide the certificate and the service will authenticate the client i.e. the web connector. I am planning to host these certificates in a truststore which the web service will use. But, I couldn't find anything in the web connector documentation about how/where I can specify the path for client certificate/key or truststore on web connector side? How do I achieve this?
The Web Connector doesn't support what you're describing, so you won't be able to do this with the Web Connector.
The Web Connector does this for security:
requires all connections to be over SSL/TLS (https) so that data in transit is encrypted
authenticates with a username and a password
You can further secure this by following standard web app security things like:
rate limiting how quickly people can auth
blocking IPs or usernames that fail auth too many times
configuring your web server to only use TLS v1.2 (no SSLv2, SSLv2, or old TLS)
enforce secure passwords
store the passwords on your end hashed
etc.
I want to use secure websockets with socketio and nodejs so that more of my mobile traffic/corporate networks can utilise websockets.
What level of SSL certificate is required for most browsers to accept the certificate/server as trustworthy. Browsers don't have an interface for reviewing/allowing SSL connections for websockets as far as I know, so how do they handle a cert they don't trust? Do they just refuse the connection?
What minimum level is required from an example list: https://www.123-reg.co.uk/ssl-certificates/ and has anyone done any research into how browsers handle various levels of SSL in websocket connections?
Securing a websocket is no different to securing an HTTP connection. A TLS handshake process will happen first to establish a secure connection and then an HTTP connection will be established over this secure link. For a websocket the additional step of upgrading the HTTP session to a socket will be taken. What this means is that whatever works for HTTPS will work for WSS. This link has a useful diagram.
I'm not sure what the difference is between the "123 SSL" and "Domain SSL" levels in your link, if the lower cert is issued against your domain it may be fine. Generally you want "Domain Level Validation" or above - it is enough to secure traffic between clients and your server. As long as the root certificate is trusted (generally the company you are buying the certificate from), browsers will accept this with no message or warning. For WSS, APIs and communicating with mobile apps this will be fine. The top level certificate (Extended Validation or EV) has the added advantage of additional security indicators in the browser (usually the green address bar or lock), great for browser sites but not of much use for pure WSS or API clients.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
securing connection to php server
I'm writing an mobile application to access an online database (I'm more interested in the high-level algorithm/protocol than the platform-specific implementation).
Since keeping the DB updated require a lot of work I want to restrict the access to my sponsored application only (I don't want other apps to take advantage of my DB for free). To do this I need to authenticate the application itself, but how can I do it?
If I store some sort of credentials within the app somebody could try to disassemble the program, retrieve the data and write his own application bypassing mine (even if I encrypt the credentials I still need to store somewhere the decryption key...)
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK (if you're using Android; there are similar tools out there for other platforms) for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through for Android applications in my book, Application Security for the Android Platform, published by O'Reilly.
Now...you are right in that someone with access to the mobile app could recover the private key associated with the client-side certificate. It would be in a BKS keystore that would be encrypted but your app would need to supply a password to open that keystore. So, someone could reverse engineer your app (fairly easy on the Android platform), grab the password, grab the keystore, and decrypt it to recover the client-side private key. You can mitigate this someway by obfuscating the app to make reversing the keystore password more difficult, or asking the user to log in to the app and using that password to derive the password the the keystore, etc...it really depends on the level of risk you're willing to take on for your application.
I am working on a REST API to be used by a mobile application I am writing, mostly for the purpose of communicating with a database.
The mobile application makes calls to URLs like this:
example.com/mobileapi/getinfo
And carries certain POST payload along with each call.
I'm not worried about user authentication etc.
However, what I am worried about is, if someone were to use the mobile application along with a network monitoring tool like Fiddler or Wireshark, they could document all the URLs being called, along with all the POST parameters. That would be enough information to create their own app that uses my API.
How can I prevent this? I considered hardcoding a Key into my application and have that included as a POST parameter with each request, but that would be visible as well.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android (I'm not as familiar with how to do this on other mobile platforms), both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.