So I'm working on a personal project to write an app that syncs with a free web service. They have a free api to let third parties connect and both retrieve information, as well as control the accounts themselves.
This is all fine and good but in order to do so, all apps need to be registered on their site for a developer key. This is a static key that allows my app to connect and perform actions.
But that is the rub; I would like to make this an open source app but that would reveal my developer key to anyone who downloads and looks at the code.
Is there a way to hide this key; to keep the source open but not make the key public?
One possible solution would be to write a web service / API of your own. In there you store your API key to the other third-party service. Then, in your open-source app you would make a call to YOUR service which in turn uses the stored (and never revealed) API key to communicate to the third-party.
This will keep your key private and as you are making external calls from your app anyway this should not matter. It also has the added advantage that you control whole ecosystem rather than people making direct call to the third-party.
The down-side? Well, it won't be fully open-source but it is probably as close as you will be able to get while keeping some of it private.
Related
I want to create a game within the Unity game engine in C# with .NET where I can securely connect out to a private server, and read and write data from/to the server. I understand how to do this in a non-secure way, where I would setup a private SQL database with a webpage interface between the two.
My problem comes here, I know if I want the web interface to be public, I need credentials to connect to the server, such as an Auth key, or username and password. However, in order to use those, then the auth-key would need to ship with the game as a file, or would need to be written directly into the codebase. I know that users can decompile games, and access these files and get the credentials if I include them, which means that option is off the table as far as I am aware.
It is my understanding that even with this layer between the database and the client, someone could still find the url for the interface between them, and then send custom function calls to this url as I will be doing in the game program. Wouldn't this lead to the same conclusion as having the database be open?
If anyone has answers to this, or resources where I can learn about this process, please let me know! I have never done server-side programming before and have also never thought about security before in my life.
You're correct in that you should not embed authentication keys into your apps. Where you're falling down is in exposing your database to the world. Don't do this. Instead, hide it behind a web server that serves only json data files. This way you can take advantage of the web server's authentication and session protocols.
Since you're already working with C#, I would suggest looking into ASP.NET Core MVC and specifically about WebAPI. But I would probably recommend node.js for lightweight microservices.
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
I am building a plugin for multiple .NET based solutions. The application it self will connect to a database that holds user data and user group data, as well as some configuration files that users create for them selves. The configurations may also be shared between users (the owner can share his configurations with another user), and administrators will be able to edit all permissions on all files(my guess is via some web interface).
The applications that will have access to the functionality of this plugin are using the .NET platform but after that the projects diverge. One is using old win forms, the other WPF for desktop and another is web based using a JavaScript library. All the aforementioned applications are just interfaces for a shared lib that contains actual business logic.
My plugin will be implemented within the shared business logic library. The app will support both username and password authentication as well as windows authentication(if win auth fails the all will ask for username and password to try to access data that way).
My options regarding membership and authentication/authorization are plentiful and I'm not sure of my choice. I can use the Membership library or the new Identity library. I am also sure there are 3rd party libs that are quite good at this stuff but I have yet to hear of them.
is there a preferred lib to use or is the choice trivial and i should just start from somewhere?
This is a great place to start: http://brockallen.com/category/membershipreboot/
This question already has an answer here:
How to make GET web service more secure
(1 answer)
Closed 9 years ago.
I'm thinking about this witch, how to can write a web service with more secure.
for example my web url is http://test.com/getdata.php
how to secure this for just access with only my application in mobile app like android or ios or any think.
web service can be REStful or SOAP or any think, what is the best way for this to secure web service to just my app use that.
in android application can be very easy to decompile and get web service address for yse i want to prevent this attack...
how to implement a secure way for this purpose!
Securing a webservice to only be used by a particular application is hard, and if you have a persistent attacker then it is probably impossible as they can run your application in some emulator, or on a device where they can scan memory and get information.
So, what is the value that you are protecting? The value that you are trying to protect will decide how much effort to put in.
But, you could have an RSA public key put on each version of your application, and some marker has to be encrypted so only the server can decrypt it, and that will help ensure only your application can call the webservice, but, even if the key is hardcoded inside your application someone can find it if they try hard enough.
Another approach would be to use a zero-knowledge proof to verify the application is who it claims to be, so you would need to have information that is hardcoded into the program that it can look up and answer questions. This should work, but I haven't gone with this approach yet, but may be more secure than just using encryption.
But, the simplest approach is to have users have a login/password, and if someone has valid credentials they can use your webservice, even if they do it from their own javascript page, and if someone is doing something wrong mark their credentials as banned.
If you want to prevent decompilation then you may want to look at this explanation as to why that approach is unreliable: https://stackoverflow.com/a/3122640/67566, which is why I think trying to protect the webservice is the best approach.
If done properly, a zero-knowledge proof should rely on something that depends on how it was compiled, so if someone reverse-engineers the application and recompiles they should get something different enough to fail the authentication.
I've got a website which contains the profile of users. I am now working on a mobile app and I would like to access the profile details from via the app. My idea is to simply create a webservice which returns the relevant fields (some of which might be password protected). How can I ensure that the web service is being request only by my application and not by anything else (desktop, other app etc..)? Initial idea was to have a secret key embedded in the program which is used to encrypt the data sent over to the web service, but I'm not sure how difficult it would be for someone to find that key since it's on the client side app.
Any suggestions on what the best approach would be for this type of situation? (I assume the technique would be the same regardless of phone model)
Thanks
Microsoft now considers ASMX web services to be "legacy technology". All new development should be done using WCF.
WCF has many more abilities in terms of security than ASMX does.