Secured Login from DevExtreme Mobile App

StackOverflow https://stackoverflow.com/questions/18968507

Question

I am trying to encrypt communication between a database on my server to a mobile application made in devExtreme, which uses javascript. Their support team gives an example that involves using base_64encode. Is this a safe method? Here is an example for DevExtreme: Example of Authentication Request

I am having trouble understanding how secure this would be. According to my understanding, the mobile app would encrypt the data (so the app has the key/decryption method for the encryption. Wouldn't someone be able to find this key if they have access the source code of the app?) This encrypted data is then sent over to the server and is decrypted. A message is sent to notify if authentication failed or not.

On top of this, using a SSL connection would create a private connection between the app client and the server.

Sorry, I asked a lot of questions up there! Let me summarize:

  1. Is using base64_encode in devextreme safe? I have done some research and seen a lot of articles that say it is easy to crack.

  2. Since the password and username would have to be encrypted/decrypted on the application side as well as the server side, wouldn't this
    cause issues if the app user was able to gain access to the source
    code?

  3. Is sending the header/string/json file over a SSL connection enough? Would I need to use encryption if I were to use SSL?

  4. What is a guideline to follow, if any, in order to build a secure
    mobile app? Something similar to This guide, but for mobile
    apps.

Thanks in advance.

Was it helpful?

Solution

  1. base64 is not encryption. It's encoding. (see e.g. difference between encoding and encryption) Decoding encoded data is trivial. As such, it isn't safe to use alone in cases which demand encryption, such as exchanging of private data. base64 is pretty easy to recognize by sight, so if someone gets their hands on your HTTP packet, they just got your password.

  2. If you use encryption with an algorithm that isn't broken, and the attacker doesn't know your private key - you're good. In that case knowledge of what algorithm you used doesn't help the attacker much. See e.g. encryption for more details.

  3. Using SSL should be enough. See e.g. how secure is SSL. No need to encrypt same thing twice.

  4. DevExtreme is a HTML5/JS framework, so you should look for materials talking about securing such things as AJAX, etc. Depends also on what you use server-side. I guess it all boils down to securing vulnerable data transmission, and your server-side app, whatever you use there. Can't help you much with this one.

One more thing: as I wrote in pt. 4, DevExtreme is a HTML/JS framework. As soon as anyone downloads your app, they already have the code, as DevExtreme apps aren't compiled as such- They're just web apps, so the only thing your users don't have access to is your server-side code.

OTHER TIPS

This approach is secure because the necessary credentials to access the web service are passed to each HTTP web request. It's essential that HTTPS is used so that the credentials are encrypted over the wire. The web service must check the passed credentials for each request before it sends a response. The sample encodes the username and password to base64 to make sure all characters, including special ones found in random generated passwords, are valid in headers (http protocol)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top