Solved

mobile app dot net secure communication

Posted on 2015-02-20
2
17 Views
Last Modified: 2016-06-23
We need someone to advice a secure way of communication between mobile app and a .net backend application. Mobile app will make http calls to the server and the connection between the app and the server cannot stay always open. So for every call we need to implement a security token at the end of the link.

What method/mechanism do we need to implement on the app and server ? What if the connection between the two is not secure, lets say calls are made in plan http !?
What security measures shall we implement on the server application to protect it from attacks or overloading ?
Is it better to host it on our own server or use azure, amazon, or some other provider ?

Thank you.
0
Comment
Question by:ASP-TIMS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 40791150
Don't use HTTP.
The first step is to move to HTTPS.
In order to do that you need an SSL certificate.  It is possible to self sign a cert - but if this is a business application then go out and buy one from a good company.

This is installed on the webserver (or load balancer) that faces the public and secures all the traffic (and also shows the app that it is the right server as long as you make sure domain name / cert checking is turned on in the app code.

You are on the right path when you talk about security tokens.  This is step two.
Once you have got SSL running, you should still have some form of authentication (like username / passwords) and when the person has logged in, you can make sure it is still that person by having a token (or cookie).  I would keep it off the end of the URL and put it into the traffic by using cookies or by sending it as a field with the pages.  The reason I say this - SSL traffic should encrypt the URL and only expose the IP or URL name in plain text, but I have seen bad implementations where it does send out other info like the full URL (or where it gets logged into log files) and this would be very easy to sniff and then reinject to become logged on as that person.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question