Securing a mobile rest api (Invoked from Mobile APP) - web-services

I am designing a REST API that takes a card number and CVV and uses that to check the card balance and other details. We have the HMAC encryption, Device Identifier recognition and SSL header validations and all that security in place.
However the issue is the call is going to be invoked from Mobile app which can be easily reverse engineered to get the code. Once some one has the code they can write a bot to fish (Brute Force) for the legit card number cvv combination.
So in order to lock down the API I am planning to use a captcha (mobile friendly) like FUNCaptcha. However Apps DEV rejected it saying webviews (IOS, Android) are not safe and can be exploited using MITM attacks etc since it is JavaScript based.
Can someone give me some ideas on how to tackle the problem. I need to secure the API from BOT, other automated processes. The only way to do it is via a captcha. but it seems on mobile devices the webview is a bad idea.

Related

Securing webservice endpoints without user authentication

My scenarios is simple and perhaps not only me deal with. I have an webservice that is used my a number of my mobile apps. I would like my webservice only be accessed from my mobile apps but I don't wish my apps's user be bothered with registering an account. How can I achieve that kinds of security?
I have read about API KEY and OTP, but it doesn't really convince me.
It isn't possible to do what you want 100%. The reason is that if the security is in your Mobile App, or travels over the internet, it is theoretically possible for someone to read your code or scan your traffic and then impersonate your Mobile App.
However, you can get good results with simple server side checks. EG, from your Mobile App, add a variable into HTTP calls which is checked by your backend. And, most importantly, use SSL. You can make this more complex as well, such as providing a token from the server and then requiring this token back on every call.
It's not unbreakable... but it will deter the casual hacker. And it will probably only take you 10 minutes to implement.

phone gap apps - How can i detect thet a login web service request is genuine

We r finally taking a leap into writing a mobile application for some of our platforms core functionality.
After spending some time - narrowed down that it is a HTML 5 application, CSS and Apache Phone gap to support different platforms mainly IOS and Android
We are writing WCF based REST services and have a question about securing the web service calls - specially ones for new user creation and login.
How can we ensure that the web service call to create a new user account or subsequently to log into the app is genuinely originating from a mobile device and not via a brute attack or someone trying to execute a service if they do discover the URL? Is there some kind of device identifier that we can depend on as part of the request (or something we embed into the app) etc or are there other more reliable techniques.
Any help would be appreciated.
Regards
Sid
Good question: I use the device plugin to get the device uuid and then hash it with the user email and the timestamp of the registration to create a key. One way hashing is your friend in this scenario. Keep all of your communication on https secure socket layer and create keys based on the UUID and you should be able to solve this problem.

How to deal with oAuth callbacks to non webservers?

I'm currently building an oAuth2 server so that external clients/devices can access data from my service without having to send over user credentials with every request. I've finally grasped how oAuth works after spending an entire day reading numerous tutorials and online documentation, however, there's still one thing that I'm rather unsure of...
When sending a request for an authorization code to an oAuth server, how should I deal with a callback to mobile devices and devices that aren't a webserver?
E.g. this request to my oAuth server will send an authorization code as a callback to a specified webserver (http://client-url.com in this case)
http://mydomainname/oauth2/?client_id=test&grant_type=authorization_code&client_details=test&redirect_uri=http://client-url.com&response_type=code
The server at http://client-url.com will receive a response containing an authorization code and the developer will be able to store a user's oAuth credentials accordingly.
Obviously a mobile device isn't a webserver, so is there a standardised way of dealing with this? I've read online that you can define something called a custom URI scheme within iOS and Android apps. But what about the other mobile platforms out there? And desktop apps? I want my API to be accessible from as many platforms and devices as possible.
The reason why I'm asking this question is because I want to add validation to my oAuth server so that users can only register apps with valid callback URL's. I wasn't sure if should allow any other type of input as a callback apart from a valid URL.
Can anyone shine any light on this? I want to avoid spending hours validating and testing this across all devices as I'm sure anyone that has developed for multiple mobile platforms in the past must have some knowledge about this.
Thanks in advance.

Securing communication between trusted servers in same hosting env

I work for a company that develops a software product that processes bank transactions and gives the user insight into his/her spending. Our customers (usually banks) integrate the product into their online banks.
I have a question about securing the communication between the online bank, and our system. Before I ask the question, I want to give you some background.
The bank will usually install our system on a set of servers in their hosting environment.
We offer a number of ways to integrate:
Web services - In this case the bank will make calls to a set of REST services on the server, and then generate a webpage with the results (on the server side).
Iframes - In this case the bank will embed iframes in their online bank webpages. The iframes contain webpages rendered directly from our web application.
Inline widgets - In this case the bank will embed JavaScript references on their pages. When the document loads, the JavaScript widgets will render themselves, using AJAX calls. They communicate with a proxy on the bank server, which in turn communicates with our webapp.
We currently have a custom solution where we generate and sign security tokens for the users, and pass these with the requests.
But as banks have very strict security policies, they would feel better with us using a known and trusted security protocol for the communication. It is a big concern, which we want to address.
So the question is, which protocol is best suited for the integration use cases I listed above? There is a plethora of single-sign-on standards out there, and solutions like SAML, oauth, etc. I get the feeling that these solutions might be an overkill for my situation.
I want to find a solution that is simple. As the servers will run side by side in the same hosting environment, and trust each other completely, there is no need for the end user to authorize one or the other (or being redirected between, clicking buttons to give access to the app).
That is, the security protocol should not require any intervention from the end user. The end user simply logs into his/her online bank, and via secure communication has access to the data from our web server.
So...any suggestions?
Thanks a lot!
OGG
After some deliberation, we decided to use 2-legged OAuth (online bank uses consumer key and consumer secret to sign requests to our app).
OAuth signature can either be put in a request header, or request parameters. It nicely solves our problem, as the REST requests can be signed, and the IFRAME src URL-s can also be signed (all communication is over HTTPS).
For those interested, a couple of references:
This article shows using OAuth with IFRAMEs: http://developer.tradeshift.com/blog/cross-site-user-verification/
This article mentiones some security issues with OAuth, and how threats can countered: http://software-security.sans.org/blog/2011/03/07/oauth-authorization-attacks-secure-implementation

Secure messaging using Secure MIME is it reliable?

We have an automatic reporting and notification system written in .net that sends emails with plain text. We are having to encrypt the messages that we send our clients.
The possible implementation approaches we have:
Send messages as S/Mime email with attachments.
Plain text email with that just contains a link to a web site that will display the message over https.
It seems like S/Mime is a simpler solution, as we won't need to create the web application or secure it.
Our concern is our interoperability with our clients email clients and more importantly their email filtering software.
Has anyone had success or issues deploying a Secure MIME messaging solution?
Given the wealth of different clients people use these days for email, like BlackBerry, Iphone, Android, Samsung, Nokia, Thunderbird, Outlook (Express), Apple Mail, web mail etc, I would go for the web application over https. It does take an extra step of clicking the link, and logging in, but it could be used from a lot more devices without extra configuration steps.
How are you going to solve the problem of provisioning the destination certificates? If you send mail to 1000 users, you need to send it 1000 times, and each time use a different public key, the one for the current destination (so that only he/she can decrypt it and read it). Having each individual report final user create a key for himself and send you the associated public key so you can associate the report mail with it is problematic. Some PKI infrastructure products can help, but only inside a (tighly run) organization.
Securing only your web site seems easier to manage, since you'll have all the ends under your control. You still have to handle authentication, but that can be handled at the HTTP level (eg. Digest, or even Basic over HTTPS).
SideNote: (you can edit this in an answer) Not all mobile clients support SMIME. sadly the native android mail client (on Nexus 4, Nexus 5 etc...) does not support S/MIME . also, I personally have issues with the samsung galaxy SMIME support. Best (external and paid for...) solution I have found so far for android is MySecuredMail.