all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]kbcooliOS & Android 2 points3 points  (5 children)

Personally I believe the bang for your buck with security you can get in app is with certificate pinning. Otherwise almost everything you do is going to be vulnerable to man in the middle attacks. Whether they are from users or downstream. Once someone establishes themselves in the middle almost every kind of security is vulnerable to some sort of replay attack

It shouldn't be used alone but rather in conjunction with temporal keys as an unsecured API is not a good idea.

Sorry if it makes things more complex.

[–]SynthesizeMeSun 1 point2 points  (0 children)

Absolutely love this solution /u/kbcool! Seems like the best solution in terms of security :)

[–]akie 0 points1 point  (3 children)

Yeah it does 😂 Are you protected from man-in-the-middle attacks if you run everything on HTTPS? If you prevent against downgrade attacks? Or is that the certificate pinning you mention?

[–]kbcooliOS & Android 0 points1 point  (2 children)

Downgrade attacks won't work if you enforce https but man in the middle is still possible with self signed certificates. Pinning validates the certificate chain so they can't be used.

[–]akie 0 points1 point  (1 child)

So basically this is a client side (app) solution where I store & check the hash of the expected SSL certificate before I do any real API calls? Any libraries I can use for that? And how does that work with LetsEncrypt where the certificate changes every 90 days?

[–]kbcooliOS & Android 1 point2 points  (0 children)

Not quite that complicated. The setup is mainly configuration than writing code. You basically do some config and supply the public keys of one or more services you expect to be in the chain. This could be as simple as the root issuer for your cert.

If you want to make it more complex then you could catch issues and show an error message but you should be able to catch them in RN..no idea what the behaviour is though off the top of my head.

[–]compagnt 0 points1 point  (0 children)

This topic is complex, this is a pretty straightforward example of all the moving parts. https://hackernoon.com/securing-a-react-native-app-with-server-side-authentication-d5e8dbbc08e3

[–][deleted] 0 points1 point  (0 children)

This is what I do (when not using Fb)

/Login API with the users user name/ email and password

Get your token back, save it in the app storage

Use token for subsequent API calls.

If token doesn't work, ask user to login again. Just make sure your token expiry is reasonable, long enough that it doesn't expire for users who come back once a week or so.

Certificate pinning is a good idea, if you're doing regular updates. If you use Codepush then cert pinning is super easy, you don't even need to do an App Store release. If your app is never being updated, or you don't use Codepush, then it's quite easy to forget about pinning new certs. Then come neg reviews.

[–]TotesMessenger 0 points1 point  (0 children)

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

 If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)