2

I am surprised that, as I understand it, any app can potentially clone my Parse's Client KEY and App ID and act exactly as if it were my app, enabling and authenticating users on my app, having access to the same database and the same Cloud Code. So it is? Is there a way to avoid this?

EDIT: My question is not related to privacy or data owned by the user. I read about the right way to use ACL, level permission of class, masterkey and so on.
But the question is how to prevent that another app cloning my KEY/ID can lean to the data of my app and do whatever we can make by my app, mixing its database with mine and also impacting on the request counter.

GPack
  • 2,494
  • 4
  • 19
  • 50

1 Answers1

0

All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody. Read Parse documentation on how to secure your app against malicious users.

Mo Nazemi
  • 2,618
  • 2
  • 16
  • 23
  • My question is not related to privacy or data owned by the user. I read about the right way to use ACL, level permission of class, masterkey and so on. But the question is how to prevent that another app cloning my KEY/ID can lean to the data of my app and do whatever we can make by my app. – GPack Nov 22 '15 at 10:39
  • Anybody can clone your app and access/change your public data unless you implement some form of access policy. This is true for all the apps out there. The sever cannot determine if a request is coming from your app or a clone app unless you use authentication. – Mo Nazemi Nov 22 '15 at 11:50
  • Sorry but i dont understand, what kind of authentication do you mean, there is an app authentication? If you mean user authentication and data ownership then the cloning app can do the same. – GPack Nov 22 '15 at 12:05
  • As I said, someone can clone all your app. People have cloned many famous apps out there. You can bury a signature in your app to sign your api requests with it but that can also be compromised by a good cracker. Unless your app becomes the next hot thing, what Parse offers is sufficient :) – Mo Nazemi Nov 22 '15 at 12:25