0

I am working on an android app for IoT devices. The android app takes the data from IoT device and sends to NodeJS which stores in MongoDB. I am using the AES-256 encryption to send the encrypted data to NodeJS server using POST request. Now, the problem is anyone can create this POST request and store some data into the mongodb. To protect that we can use JWT, but the problem is that this app won't have any username and password facility. So, I was thinking of sending some kind of token which will validate in the server side and once it is validated it will store the data. But I cannot understand on how to generate this token and save this from MITM attack.

I cannot use session as it is against philosophy of IoT. Any other idea would be great. Also, I was thinking of using EJBCA for implementing PKI, however I have little knowledge onto that. A small light on that would be great too.

My setup is running in localhost.

Prashant Dey
  • 580
  • 5
  • 16
  • You could use a client_credentials oauth2 grant. First, IoT device requests a token from an oauth2 server using a client id and a client secret. Then, it POST against your nodejs server. Nodejs server has to validate the token (making a request against oauth2 server) – Héctor Nov 06 '17 at 17:11
  • Title is misleading, what you are asking is how to validate POST requests coming from your Android app. It sounds like you want to register device with your server first. You could use FCM (Firebase Cloud Messaging) for that or register by exchange of certs with server. This way no one except your Android app can post data, and you can validate that by checking if device was registered before you insert data. – Ivar Nov 06 '17 at 17:16
  • If I am not wrong then Client_id and secret are kind of username and password which needs to be registered. But this is what I don't want. Although we need some other mechanism to make device register, may be its *mac address* or something like that. But I am not sure. I am looking into oauth2 @Héctor – Prashant Dey Nov 06 '17 at 17:20
  • By validation, it means that it should know from where the data is coming from, and if it is from android app then it will store the data. @AivarasPrudnikovas – Prashant Dey Nov 06 '17 at 17:23

0 Answers0