I have an iPhone App that accesses the ASP.NET WebServices for data. Since I am creating ASP.NET end and an iPhone portion of the app, and we will publish it in the appstore soon, I want to know what security check I need.
The basic flow of the program (without revealing too much information about it) is as follows -
Login (enter username, pass on app)
. The primary screen where the data is full of webservice and presented
And post the data back after some updates by the user.
I am using POST to send data to Datasheet via HTTPS. I am cleaning the inputs, checking the length of the input, but due to this security my knowledge is limited. Any other suggestions are appreciated!
EDIT: I should add that our service needs to be separately subscribed and its iPhone components can not be used alone. Therefore, the average user login credentials will not be there. And the app has health care data in it, so I will not try to attack anyone from my login page.
Thanks,
Teja.
There are several things to check you out. You control both the client and server side, so you have to take a variety of mitigations. It seems that you are taking the right perspective but you need to focus on risks and risks and reduce them.
Example:
- Authentication is done using username and password. What could be wrong here? Main threats show the interruption of the wire on the credentials, or the loss of device (or its access). They will expose credentials to an attacker. If you use SSL to encrypt wire traffic, it makes it difficult to sniff over the network. But if you store credentials on the device, SSL does not protect you. Would you like to consider (accredited authentication) or archiving the stored versions of credentials with the expiration of this kind? This route will be recommended and the user will be prevented from entering and archiving credentials in your application. Instead the device stores "key" which is independent of their username and password. They can then log on to a web application and cancel the application. It is not safe to store hashed credentials with expiration, but Oath can be easy to implement in the short run, because oAuth requires server and client changes.
- Like iPhone, devices can provide a level of cryptography and security from local attacks, but you should consider encrypting the data that is stored by your application. You should also keep the amount of data stored in the minimum amount, it can be a challenge to implement, but you need to manage trade-off with your users and management.
There is something you need to read that content for Android or other mobile platforms may be useful.
Security of ASP.Net Web Services
Microsoft has published some (and related) issues on the web services aspect to focus on this area. It is possible. You need to consider a more comprehensive approach to security since the application is like any other ASP.NET application, so you should look like normal ASP.NET security resources. You may want to do anything on stack overflow.
Comments
Post a Comment