Solved

mobile app dot net secure communication

Posted on 2015-02-20
2
7 Views
Last Modified: 2016-06-23
We need someone to advice a secure way of communication between mobile app and a .net backend application. Mobile app will make http calls to the server and the connection between the app and the server cannot stay always open. So for every call we need to implement a security token at the end of the link.

What method/mechanism do we need to implement on the app and server ? What if the connection between the two is not secure, lets say calls are made in plan http !?
What security measures shall we implement on the server application to protect it from attacks or overloading ?
Is it better to host it on our own server or use azure, amazon, or some other provider ?

Thank you.
0
Comment
Question by:ASP-TIMS
2 Comments
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 40791150
Don't use HTTP.
The first step is to move to HTTPS.
In order to do that you need an SSL certificate.  It is possible to self sign a cert - but if this is a business application then go out and buy one from a good company.

This is installed on the webserver (or load balancer) that faces the public and secures all the traffic (and also shows the app that it is the right server as long as you make sure domain name / cert checking is turned on in the app code.

You are on the right path when you talk about security tokens.  This is step two.
Once you have got SSL running, you should still have some form of authentication (like username / passwords) and when the person has logged in, you can make sure it is still that person by having a token (or cookie).  I would keep it off the end of the URL and put it into the traffic by using cookies or by sending it as a field with the pages.  The reason I say this - SSL traffic should encrypt the URL and only expose the IP or URL name in plain text, but I have seen bad implementations where it does send out other info like the full URL (or where it gets logged into log files) and this would be very easy to sniff and then reinject to become logged on as that person.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now