An Android/Iphone app will be accessing application data from the server.
[Django-Python]
How can I secure the communication with the mobile app ?
Expectation : Secure enough for sensitive information like passwords, there shall be no direct way of decryption except brute-forcing.
My requirements :
- Authentication [Only the app is authorized]
- Integrity [Messages should not be modified in between]
- Privacy [Communication should not be readable if sniffed]
My effort:
- SSL authenticates only the Server, not the client.
- I can-not use a symmetric encryption [Provides only Privacy]
- Digital signature is not possible [Lacks Privacy]
- PGP full-fills all 3 requirements.
Problem :
- PGP requires to store keys on client app.
- There seems to be no assuring way of securing keys on client app.
- If the key is out, then PGP or Symmetric encryption are equally vulnerable.
- Reverse-Engineering PGP keys or symmetic keys is equally hard.
- In that case PGP is a non-sense burden on the mobile processor.
- OAuth is again useless, since it also have a client key.
So, how can/should I move forward on this ?
How does the industry deals with this ?
Should I implement casual approach :
- Use simple SSL and cross my fingers ?, since authentication is not possible if the keys are stolen? (Only server authentication is possible with this)
Update:
Conclusion was to use AES, since if I can keep the key secure then I am as good as SSL.
Plus I can keep changing the key over-time for better security.
Contribute if you think there is a better way, do read the entire post before posting.
You’re working on bad information. SSL can absolutely authenticate the client, it’s just not something that is done for the bulk of SSL as the protocol is (or, atleast was) typically used to protect e-commerce sites where authentication of the server was important but doing so with the client was not important and/or not feasible. What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here’s the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you’re using Android, you can use the keytool included with the Android SDK for this purpose; if you’re using another app platform like iOS, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in both Android and iOS, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O’Reilly.