I have an Https Web API hosted in Azure.
Now if I am making a call from console application, will the POST/GET data be passed in encrypted form or will I need to do anything in the console app?>
the reason I am asking is that if I use Fiddler, can see the data in clear text. Of course decrypt HTTPS traffic is checked
Similarly if the Web api is consumed from Android mobile app, does the app need to do anything to ensure that the traffic cannot be sniffed?
I am new to Https and security. Any help or pointer will be of immense help
I'd recommend making your Web API only accessible by HTTPS. And then, make sure that yoru Android app uses HTTPS. Also, ensure that if your Android app is presented with an invalid certificate that it will stop running and not send any data.
HTTPS should basically handle everything from a sniffing/MITM point of view. However, you must still have a secure authentication mechanism and such as well.
Related
I am developing a project in Angular 4.0 and using c#.net web API as back-end.
Problem is, When I am running my application through browser, I am able to see web service call (get/post) through "Postman Interceptor". Which is not good for security. Is there any way to secure my webAPI call so that it will not be visible in "Postmatser" or fiddler like tool?
Is there any way to secure my webAPI call so that it will not be visible in [Postman or Fiddler]?
No. You're issuing requests from the browser. This means they will come from the visitor's pc, and everything that happens there can be intercepted by them.
You don't need obscurity, you need authentication.
Let's say I have an installed app, a console app for example, not a web app, that I want to interact with the QBO API - I want to perform calls to QBO from my console app (but not from a web application). So I must authenticate from the console app, make a call and output in the console.
All QBO SDKs seem to ask for a callback URL or a redirect URL, i.e. a page on my server, that will perform the required leg of the OAuth 2.0 authentication. As my installed app is not a webserver, I don't have a place to host this logic. Yes, I can host a webserver to handle this logic, but I don't want to do it, this is a waste of resources for my use case (why leave an auth server on standby?). I just want to authenticate without a webserver with QBO API. Is this possible? Have I messed up my understanding of the API or of OAuth? I am at a total loss. In none of the sample code I can find a suitable example despite this being the use case that I have. (I am working with .NET / C#)
It appears that at the moment the QuickBooks Developer platform will not accommodate this (non web End-Point).
As per Intuit:
These URIs handle responses from the OAuth 2.0 server and are called
after the user authorizes the connection. URIs in this list are the
only ones to which the authorization response can be sent from the
OAuth 2.0 server. You must define at least one URI specifically for
your application's auth endpoint before you can use OAuth 2.0.
Additionally they add in a note:
Mobile- or desktop-based apps that implement OAuth 2.0 must provide a
separate SaaS layer for the Redirect URI to handle responses from the
OAuth 2.0 server.
I realize this is not what you had hoped for. Please understand, however, understand that the end-point must be a URL so as to securely return the authentication token.
I am working on combination of Web API application and desktop client program (WPF). I am using Microsoft.AspNet.WebApi.Client for a client-server HTTP communication and now I want to use authorization / authentication system of the server application to authorize user of the client program.
Point is, I want to use (=start with) the same HttpClient class, I would like to use ASP.NET Identity library on server side - call controller with credentials in HTTP header, receive actual token from server, keep it and than use it for authentication in other controllers where it is required.
I know the theory, some basic steps, but I have not found any useful and actual resource with a simple examples or tutorial how to do it well. Does anyone know about good resource to learn, how to do that?
Thanks a lot.
In .Net web-service hosting the IIS and used for the desktop application while login the app the person track and see all the input calls to service and response back into app.
Then analysis the issue and go through google and got solutions. to make HTTPS or ssl in webservice url.also encrypt and decrypt also doing both client and server side.
after that i check with fiddler they also tracking the web services call and responses .even they can able to break and run the app using this.
I was tired and make the protect the webservice calls. and unable to achieve the what i need.
I also attached screenshot below for your reference.
Guys plz help me...if any otherway to protect the service calls in Fiddler.
I see no screenshot. But if I understood correctly then you are saying that fiddler can decrypt your traffic.
Well that is because fiddler imports fake certificates into windows certificate store and then proxies data through itself. That is why it can actually decrypt data. I don't really see a point to try to protect web calls from Fiddler. But you can force direct connection and try not to use proxies with your application. But then again... you won't be able to use any proxies
My Google-foo is failing me here... most likely a terminology thing.
Basically, I'm making a desktop (and likely mobile) application that connects to a REST API that returns JSON. I've created a C# class library that handles the the data querying in my local project however this would expose my API key if I were to publish it.
I would like to know what are the appropriate options for simply running a small service in Azure that takes a web request, queries the API and passes the JSON response back. Something lightweight, decently scalable.
Is this something a web role or worker role is good for? Is this something I really should learn Node.js for?
I asked a similar question a few years back: Keeping a secret key secret with Amazon Web Services
One reasonable solution is to build a simple service that returns the headers and url to use when communicating with the authenticated service. Your API key remains secret because it only lives in your service, but the clients can leverage the API key by getting the encrypted request from your service and then making the request for the actual work.
I haven't personally looked into the Azure API App Service, but a brief browse of the main website suggests that it, too, may be relevant to your interests. :)
Check out Azure Mobile Apps. Azure Mobile Apps is a "backend as a service" platform. With Mobile Apps you can easily store information into a SQL Database and expose custom API methods. It is a great place to start and has SDKs for connecting iOS, Andriod, Xamarin, and HTML apps.
As for security, the Mobile service has options to protect the data from allow anonymous access to requiring each user to authenticate.