I'm working on an Ionic 3 application which requires me to send encrypted data over internet to AWS lambda function. I have a API created for this lambda function and I'm able to send a post request to the lambda function using ionic's http plugin. But we can easily track the post requests send from the current configuration of my application in the Network logs.
So how can I send my data from app to AWS lambda function in a secured way?
I read about the SSLpinning in http plugin but is this the only way to approach the issue?
The problem with encrypting in the app is, that it's not that hard to make reverse enginering to see how it is made.
It's a little harder to crack if you get a key from the server at login (or daily) and use this for encrypting.
https://ionicframework.com/docs/native/aes256/
I am pretty sure you can find other pre-made modules. Else make your own. Hackers hate custom design.
And btw - https-communication to be sure it's actual is you the app is talking to.
Related
I currently have a website hosted on Pages, a Cloudflare service that is used to host frontend websites. This service does not allow me to execute code in the backend.
I am currently trying to implement a contact form and need to receive the messages on my personal email when someone fills out the form and submits it. To do this, I have created a lambda function on AWS and exposed it through an HTTPS URL.
The JavaScript on my frontend sends an HTTPS post request to the lambda function with the message, and this lambda function publishes the message to a SNS topic where my email is subscribed.
In the lambda function, I have set CORS to only accept HTTPS requests from my domain name. However, an attacker could potentially fake the headers of the HTTPS request, obtain the lambda URL from the source code of my website, and start calling the lambda function.
What can I do to secure the lambda function and ensure that it only accepts HTTPS requests made by the frontend of my website?
Thanks!
I have been considering moving my frontend to a serverless service like AWS Amplify, but I am not sure how to secure the calls to my lambdas since the JavaScript on my website in the user's browser is making the calls.
You can't.
HTTP is a stateless protocol. Similarly, you can't do this for any other web service (Lambda or not).
JavaScript applications run in the client's browser, so any user can inspect your application, search for any hard-coded keys, and use those to craft an API request using curl, or an HTTP library in any programming language. Clients are insecure by design.
If you want to protect your Lambda Function against unauthorized API calls, you'll need to Authenticate and Authorize your Users (here's a primer). This means you'll need to implement User Create/Login/Logout, issue cookies, and authenticate & authorize each request.
In Lambda specifically, this can be done with AWS Cognito, Auth0, or others combined with API Gateway, using a Lambda Authorizer - or implemented directly in your function.
Identity & Access Management is an entire sub-discipline in web application development, so there's a lot to learn here. I'd suggest starting with any popular library in the language of your choice, and learning from there.
Actually, Cloudflare Pages does let you execute server-side code, using Pages functions. You could use a function for taking in the form data, for example, and MailChannels integration for sending. There is also a Discord Server where you can learn how to do many things with Cloudflare Pages, both frontend and backend.
I have, as title says, a JS/Python/PostgresQL app that I would like to deploy using AWS. I feel as though I could figure out deployment of the 3 pieces as separate, discrete entities, but what I haven't been able to figure out/understand, is how the 3 pieces will communicate once they are live.
The site will be a lightly trafficked one where only I can add resources to the db. Additionally, what AWS services would you recommend for hosting each part?
Thanks kindly. And please let me know if I can provide any more helpful info.
One service that you can look at would be aws lightsail that can spin up your application and connect to your database and is designed for hosting such applications.
Another way would be to have your python app send request to an AWS lambda using api gateway and the lambda executes your SQL command and returns back the data. These are 2 ways one more service you can explore is AWS amplify that can do the same as well
I've been searching for 2 days and I'm still not sure what I'm supposed to do.
What I currently have is an authentication flow which uses php to search a database to validate the correct userID and password from an user.
However I want to alter this authentication to use "Amazon Cognito User Pools", even though there is a PHP SDK this specific feature (still in beta) doesn't seem to exist for it yet. The examples and sdks that this can currently handle are Mobile (iOS, Android) and Web (JavaScript).
So I have to authenticate as if I was doing a web app (with JavaScript).
To do so I thought I had to replace the authentication php file in where it checks the database to use this JavaScript authentication instead.
As far as i know PHP files don't just execute JavaScript in the middle of a script, but instead they render it to the html result webpage, then the client browser can execute them instead. This would weaken the security and also is not what I want.
So my second idea was to make the PHP call a RESTful request to the same server but a different file. Then the file would be a JavaScript function which authenticates and does everything required and returns the result, then the php file would have the result and I can continue with the normal flow.
Now this seems very strange and kind of wrong, because for my server to use JavaScript files that consume RESTful requests it seems I need to install and run node.js as well.
Is this really the correct approach?
Actually you can implement your own wrapper for this because that kind of thing base on get request or post request on server side. If you have some library that can make post request and get request on PHP for example with curl, u can have a look on their authentication flow and implement your own. Flow link below.
Authentication Flow
So I've got a web API for my (javascript) web app. The app is wrapped in Cordova and distributed on iOS and Android.
I would prefer to keep the data access limited (keep third parties from using my API). But how would I do this? I do not require (nor want) the user to create an account so the app itself must somehow verify that its the app sending the request, and not someone else.
But how?
I would prefer to keep the data access limited (keep third parties from using my API). But how would I do this?
...
the app itself must somehow verify that its the app sending the request, and not someone else.
...
But how?
What you're asking for is not possible. It's also the wrong problem to solve.
Further reading: Client Authenticity is not the Server's Problem
You can't be 100% sure but you can make the reverse engineers work for it.
use tls ao they can't easilly watch your protocol with a sniffer
dont just use a single api key, make the key a function of a variety of values spread through the app along with actual user data
consider using the tls key sent by the server as part of the api key function so everything myateriously breaks if they mitm the tls
use meaningless field names in the api
push out updates frequently that change the api system
I've worked a bit with Twitter web API, I know it works with OAuth, I've consumed the API using a python library. I've also tried a bit of Instagram API using a Java Script small library.
I know those perform web REST requests in the background, authenticating first and then querying requests as I code.
However, what if I want to perform the requets using jQuery $.ajax from a web application?
I've read some docs and sites and it seems it's just possible. Like only ajaxing to the API routes, starting with the authentication route.
But, how does this process work? I mean, I query by AJAX to the auth route and then how do I keep track of that authentication. How to keep that communication? Will the redirect URL play its role then?
Reading this site for Instagram API I start getting a clue about it, but got the doubts mentioned above.
I want to perform all AJAX requests in the Java Script server background (I'm using node.js), assuming I will provide my apps OAuth in the $.ajax. Is that OK or I can actually code it on client site keeping my OAuth tokens save?
And, if it's concern of this same question, when it comes to bytes (pictures, sound, etc) how to catch the response from API.
Okay, if I understand what you are trying to do is to make an Ajax call from a web page to the Twitter API and post/retrieve tweets and other info from Twitter.
Since the release of the API v1.1, Twitter has deprecated the v1.0 API and one of the major changes in 1.1 was Authentication Required on all Endpoints
And to do this from JavaScript and jQuery is quite possible (albeit very cumbersome, difficult and requires the use of many 3rd party JS libraries to HMAC Hash your data and keys and calculate content lengths on the client side before making your Request. Twitter API does not support CORS but does support JSONP for these kind of Ajax requests. But this is not recommended - since doing this on the client side will require you to have your Twitter App Access Keys - Private keys - embedded in your script files - which is basically a big NO-NO. And hence a server side solutions to generate your oAuth tokens is recommended. But once you have achieved that, it may be easier to get the token on your script and make Ajax calls using that from the browser. But I haven't gone that far in my research.
Also, this is based off of my research in Mid 2013 when my Twitter Ajax widgets stopped working because of this change and I gave up trying to fix it using that route after I realized it would compromise my security keys. Things may have changed since then.
If you are still interested to find a solution, this walkthrough would be a good place to start learning about Twitter's oAuth and how the Access Tokens are generated: https://dev.twitter.com/docs/auth/oauth