Reputation: 1581
RabbitMQ security in mobile app
I am using Rabbit MQ broker in one of mobile apps that we are developing, I am bit puzzled about security aspects. we are using cloud hosted rabbitmq and hosting platform has given us user name and password (which have been changed since) and we are using SSLconnection so not so much worried about MIM or eavesdropping.
my concern is anybody who knows host and port can make connection to rabbitmq, since we have mobile app we are storing rabbitmq user name and password on device (although encrypted) so I guess that anybody who gets physical access to device and somehow decrypts username password can login to rabbitmq, and once you are logged in you can pretty much do anything on rabbitmq like deleting queues etc.. How are MQ like Rabbitmq used in mobile environment. Is there a better / more secure way of using rabbitmq.
Upvotes: 2
Views: 3361
Answers (1)
Reputation: 72868
In my experience, it is best to not have your mobile app connect to rabbitmq directly. Use a web server in between the app and RabbitMQ. Have your mobile app connect to your web server via HTTP based API calls. The web server will connect to RabbitMQ, and you won't have to worry about the mobile app having the connection information in it.
There are several advantages of this, on top of the security problem:
- better management of RabbitMQ connections
- easier to scale number of mobile users
- ability to add more logic and processing to the back-end, as needed, without changing the mobile app
creating a connection to RabbitMQ is an expensive operation. It requires a TCP/IP connection. once that connection is open it stays open until you close it. if you open a connection from your mobile app and leave it open, you are reducing the number of available connections to RabbitMQ. if you open and close the connection quickly, you are inducing a lot of extra cost in creating and closing the connections constantly.
with a web server in the middle, you can open a single connection and have it manage multiple mobile devices. the web server will handle the http requests and use the one connection to rabbitmq to push messages to it.
since an HTTP web request is a short-lived connection, you'll be able to handle more users in a short period of time, than you would with direct rabbitmq connections.
this ultimately leads to better scalability as you can add another web server to handle thousands more mobile app instances, while only adding 1 new RabbitMQ connection.
this also lets you add middle-tier logic inside of the web server. you can add additional layers of processing as needed, without changing the mobile app. change the web server code and redeploy as needed.
if you must do this without a server in the middle, you likely won't be able to get around the security issue that you're having. the mobile device will contain the necessary information to make the connection.
Upvotes: 6
Related Questions
- RabbitMQ Over SSL
- Using and securing rabbitmq mqtt websocket and use it in browser
- RabbitMQ Management Over HTTPS and Nginx
- RabbitMQ + C# + SSL
- How to configure RabbitMQ client to use SSL?
- Best practices for securing MQTT access from mobile applications?
- How to use SSL with AppDynamics RabbitMQ Monitoring Plugin
- How to secure messaging system like RabbitMQ/MQTT for use in a mobile application?
- rabbitmq-management plugin HTTP API - Security concerns
- RabbitMQ - security/authentication