[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

mobile app dot net secure communication

Posted on 2015-02-20
2
Medium Priority
?
56 Views
Last Modified: 2016-06-23
We need someone to advice a secure way of communication between mobile app and a .net backend application. Mobile app will make http calls to the server and the connection between the app and the server cannot stay always open. So for every call we need to implement a security token at the end of the link.

What method/mechanism do we need to implement on the app and server ? What if the connection between the two is not secure, lets say calls are made in plan http !?
What security measures shall we implement on the server application to protect it from attacks or overloading ?
Is it better to host it on our own server or use azure, amazon, or some other provider ?

Thank you.
0
Comment
Question by:ASP-TIMS
1 Comment
 
LVL 20

Accepted Solution

by:
edster9999 earned 2000 total points
ID: 40791150
Don't use HTTP.
The first step is to move to HTTPS.
In order to do that you need an SSL certificate.  It is possible to self sign a cert - but if this is a business application then go out and buy one from a good company.

This is installed on the webserver (or load balancer) that faces the public and secures all the traffic (and also shows the app that it is the right server as long as you make sure domain name / cert checking is turned on in the app code.

You are on the right path when you talk about security tokens.  This is step two.
Once you have got SSL running, you should still have some form of authentication (like username / passwords) and when the person has logged in, you can make sure it is still that person by having a token (or cookie).  I would keep it off the end of the URL and put it into the traffic by using cookies or by sending it as a field with the pages.  The reason I say this - SSL traffic should encrypt the URL and only expose the IP or URL name in plain text, but I have seen bad implementations where it does send out other info like the full URL (or where it gets logged into log files) and this would be very easy to sniff and then reinject to become logged on as that person.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month18 days, 1 hour left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question