security of cross domain

  • 1
  • Question
  • Updated 4 years ago
hello i use to communicate with my server, how secure that for only my application can speak to te server ?

thanks
Photo of Yohann Kpfr

Yohann Kpfr

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Yohann
Since this is your first post, please answer the following question:
- is this your first hybrid app?
- are you using Desktop App?
- are you using CLI, Build, or SDK? Please do not assume the answer, please read the link.

Thanks
Jesse
Photo of Yohann Kpfr

Yohann Kpfr

  • 4 Posts
  • 0 Reply Likes
hi,

yes its my first hybrid app
i use build ^^

i use
header("Access-Control-Allow-Origin: *");
to communicate with my server
its ok, but i want just my app can communicate with the server, for the moment all websites can communicate.
how can i do for only declare my app ?
thanks
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Yohann,
Phonegap is not a webbrowser. It does NOT use CORS.
Are you using Desktop App?
Communicating with the server is available once you turn on the 'whitelist' filter.

Jesse
Photo of Yohann Kpfr

Yohann Kpfr

  • 4 Posts
  • 0 Reply Likes
I don't understand, what is Dekstop App ?
My whitelist is good, but in my server i have
header("Access-Control-Allow-Origin: *"); so all websites can communicate ^^

what is the solution, for only my app can communicate to my server?
app phonegap don't have url to replace the * by url
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@Yohann,
if you do not understand Desktop App, then it does not matter.
Does this page look familiar? http://phonegap.com/getstarted/
If no, do not worry. If yes, please let me know.

You do not need header("Access-Control-Allow-Origin: *"); to talk to phonegap. This is only for Web browser (firefox, chrome, opera, msie, etc).

When using Phonegap Build, use these docs http://docs.build.phonegap.com/en_US/#googtrans(en). Do not use others, except those with plugins.

For accessing servers, use whitelist plugin. Documentation here: https://github.com/apache/cordova-plugin-whitelist.

Since you are new, read this FAQ also:
Top Mistakes by Developers new to Cordova/Phonegap

Any Questions?
Jesse
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
I believe you haven't made clear enough what it is that you want (or Jesse hasn't yet understood what you meant).

You said you want to "restrict access to your web service to your app, only".
Is it correct that you don't care:
- on which device the app is installed (so, a device recognition is not a solution)
- which person is using the app or the device (so, a personal login process is not the solution)
- when and where the app is used or the request is made.

All you want to be able to is:
- when receiving a request, make sure that it was made from your client-side application, not from another app on the same device or some other client on the web.

Right?

-----------------------------

In that case, this is not feasible. Your application's code is client-side and open to anyone. Whatever criteria you would code additionally in the client (like a generated application key) can be found and copied to another newly created app and then used to access your web service.

You can, however, make life a bit harder for those who try, at least for Android.
https://developer.android.com/google/...
http://security.stackexchange.com/que...
https://github.com/mobilino/Phonegap-...

If you want to know everything about securing web services, then these might be something for you:
http://www.amazon.com/Web-Services-Se...
http://www.springer.com/us/book/97835...
Photo of Yohann Kpfr

Yohann Kpfr

  • 4 Posts
  • 0 Reply Likes
Sorry for my english i try to be understandable

so, if i understood correctly, i don't need to use header("Access-Control-Allow-Origin: *");
I need only to configure my whitelist in config.xml and my app can access to my server
it's not dangerous that another application can generate an register on my website for example?
but i can use token for exemple ? but i don't find the documentation to use token ;/

thank you for helping me

it's not easy to understand when all documentation is in english and i'm french :p
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
it's not easy to understand when all documentation is in english and i'm french
If you wanted to become a hybrid app developer, why did you choose to be french, then? ;-p

it's not dangerous that another application can generate an register on my website for example?
That depends on what is happening with that kind of communication.

Let's see: you are making an ajax request from a client to a web service publicly available on an open client (which means: anyone who wants to see, analyze and copy the client code, can do so).

Now, if you want to prevent people from GETting data from the web service by means of a browser or other app, then you have made a thinking mistake. After all, you are serving data that are supposed to be available in the client, so the user may see them. It should not be a problem that these data are requested from some other client, because they are meant to be publicly available, anyway.

If you want to prevent people from POSTing data to the web service, then you should not restrict things to the app only, but also restrict multiple such POSTs from any client, including the app. For instance, if you don't want to have 100 room reservations posted within 1 minute. This would be an entirely different issue/project.

So, the solution depends on what you really want to prevent from happening, what kind of data are involved, whether it's simply GET or POST and what you are willing to check on the server.

but i can use token for exemple ?

Think!
If that token is generated on the client, the code to do so is freely available and anyone can mimic that.
If the token is generated on the server, then the server should know somehow that the request to generate it comes from the app....and you would still have the same problem, only one step earlier.