Solved

mobile app dot net secure communication

Posted on 2015-02-20
2
13 Views
Last Modified: 2016-06-23
We need someone to advice a secure way of communication between mobile app and a .net backend application. Mobile app will make http calls to the server and the connection between the app and the server cannot stay always open. So for every call we need to implement a security token at the end of the link.

What method/mechanism do we need to implement on the app and server ? What if the connection between the two is not secure, lets say calls are made in plan http !?
What security measures shall we implement on the server application to protect it from attacks or overloading ?
Is it better to host it on our own server or use azure, amazon, or some other provider ?

Thank you.
0
Comment
Question by:ASP-TIMS
2 Comments
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 40791150
Don't use HTTP.
The first step is to move to HTTPS.
In order to do that you need an SSL certificate.  It is possible to self sign a cert - but if this is a business application then go out and buy one from a good company.

This is installed on the webserver (or load balancer) that faces the public and secures all the traffic (and also shows the app that it is the right server as long as you make sure domain name / cert checking is turned on in the app code.

You are on the right path when you talk about security tokens.  This is step two.
Once you have got SSL running, you should still have some form of authentication (like username / passwords) and when the person has logged in, you can make sure it is still that person by having a token (or cookie).  I would keep it off the end of the URL and put it into the traffic by using cookies or by sending it as a field with the pages.  The reason I say this - SSL traffic should encrypt the URL and only expose the IP or URL name in plain text, but I have seen bad implementations where it does send out other info like the full URL (or where it gets logged into log files) and this would be very easy to sniff and then reinject to become logged on as that person.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question