Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

mobile app dot net secure communication

Posted on 2015-02-20
2
Medium Priority
?
47 Views
Last Modified: 2016-06-23
We need someone to advice a secure way of communication between mobile app and a .net backend application. Mobile app will make http calls to the server and the connection between the app and the server cannot stay always open. So for every call we need to implement a security token at the end of the link.

What method/mechanism do we need to implement on the app and server ? What if the connection between the two is not secure, lets say calls are made in plan http !?
What security measures shall we implement on the server application to protect it from attacks or overloading ?
Is it better to host it on our own server or use azure, amazon, or some other provider ?

Thank you.
0
Comment
Question by:ASP-TIMS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 20

Accepted Solution

by:
edster9999 earned 2000 total points
ID: 40791150
Don't use HTTP.
The first step is to move to HTTPS.
In order to do that you need an SSL certificate.  It is possible to self sign a cert - but if this is a business application then go out and buy one from a good company.

This is installed on the webserver (or load balancer) that faces the public and secures all the traffic (and also shows the app that it is the right server as long as you make sure domain name / cert checking is turned on in the app code.

You are on the right path when you talk about security tokens.  This is step two.
Once you have got SSL running, you should still have some form of authentication (like username / passwords) and when the person has logged in, you can make sure it is still that person by having a token (or cookie).  I would keep it off the end of the URL and put it into the traffic by using cookies or by sending it as a field with the pages.  The reason I say this - SSL traffic should encrypt the URL and only expose the IP or URL name in plain text, but I have seen bad implementations where it does send out other info like the full URL (or where it gets logged into log files) and this would be very easy to sniff and then reinject to become logged on as that person.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question