Reputation: 1025
Parse.com REST API authentication
Parse.com's REST API docs (https://www.parse.com/docs/rest) say: Authentication is done via HTTP headers. The X-Parse-Application-Id header identifies which application you are accessing, and the X-Parse-REST-API-Key header authenticates the endpoint. In the examples with curl that follow, the headers are stored in shell variables APPLICATION_ID and REST_API_KEY, so to follow along in the terminal, export these variables.
I am building a Sencha Touch app as a native app on iOS and Android using Phonegap, and I was wondering whether it is secure to expose these keys to the client while making the REST calls?
Also, can someone explain to me how does security work in this scenario? Help is much appreciated! Thanks!
Upvotes: 0
Views: 584
Answers (1)
Reputation: 6289
Without phonegap , in a proguard , post processed android apk , the string values of the 2 headers you mention are exposed client-side . not a big issue. TLS covers the http header values during network leg and far more important for app security, you have Full ACL at the DB row level(parse/mongo) contingent on permissions of 'current user()'. So with no access to logon, some outsider doesn't have any more than obfuscated string value to an app-level access token.
. One odd thing is that with parse the lease time on the client-side token value foapi key is permanent rather than say a month.
Parse REST security is robust n well executed.
Can't speak to what PG framework offers in obfuscate/minify/uglify area but you should check that.
Upvotes: 0
Related Questions
- Apple SignIn with Parse Server
- How to authenticate a user in Parse iOS SDK using OAuth?
- Parse.com Javascript API Login
- Parse server login using REST API
- Parse Server: REST-API-Key Authentication does not work
- Parse.com cloud bad request 400
- Parse API Requests iOS
- Authenticating Parse.com User and Session Server-side
- iOS and Parse.com Session managment
- iOS Swift + Parse.com - user authentication best practices