0

I have a mobile app (React native) that I am using with ParseReact with and have it so the user can immediately send data to parse inside the app. How can I lock this down so that parse.com will only take data from users with the APP installed?

Mitigations I have thought about:

Using ip address, geolocation, deviceUUID (per app) Possible encrypting traffic to parse to hide something secret?

I know 98% of users will likely be nice and not fake this but I'm worried about the hackers

SuperUberDuper
  • 9,242
  • 9
  • 39
  • 72

1 Answers1

1

The short answer is you can't. If you give public access to any of your classes, anyone can write to it and you will have no control on who is reading the data. You can make it difficult for someone to send write requests outside of your app by embedding a signature in your app and forcing all your public writes to go through cloud functions. You use the signature to sign every write request and send the signed token as a parameter to your cloud functions where it will be verified before you accept a request. But remember a cracker can easily find your signature in your app binary so this not bulletproof.

Mo Nazemi
  • 2,618
  • 2
  • 16
  • 23
  • Oh I see, why do people even bother with the jsSdk then? – SuperUberDuper Nov 29 '15 at 05:45
  • What is easy to hack ?? I simply said you cannot know if any request is coming from your app, even if you use authentication. This is a characteristic of a stateless REST system. As long as you provide the right credentials with your requests, you will be served by the server. – Mo Nazemi Nov 29 '15 at 12:35
  • @SuperUberDuper If you use a per-user or per-device key and https with TLS 1.2 and Perfect Forward Secrecy and pin the server certificate it will be extreamly hard for an attacker that does not have access to the device. If you use the same key in for all users/devices a skilled attacker can find the key and use it in for access. – zaph Nov 29 '15 at 17:08
  • @zaph trouble is that with a per-user key they need to have a login account and I have the situation that I must restrict usage by location (only certain countries allowed to participate). When the app is in use I also require the location to be in the same country. I could do logins but I would have to mail each user like a banks does to ensure the address. – SuperUberDuper Dec 05 '15 at 10:52
  • You will always have skilled attackers, drop the per-user authentication and you only allow another percentage of attackers. The level of security is proportional to the level of difficulty and hassle. Even Apple can not completely limit access per the user's country, they use the country of the credit card account. – zaph Dec 05 '15 at 14:09
  • Well per device key can be easily spoofed, more than user account I guess. I guess I could have both. I also plan to limit each user/device UUID to be able to modify account data during specific time intervals at 1 days notice, to get hackers more trouble. – SuperUberDuper Dec 09 '15 at 14:27