Reputation: 10818
Security on a client server application
I'm developing a client-server app, the client is an iPhone device that communicants with my c# server. The client and server use a textual protocol that i have designed to exchange messages over TCP sockets. Can someone please give me some guidelines how to add basic security to this app? At this moment the only security element i have is client authentication with log in username and password. But for example anybody can see and read the messages sent between client and server without any problem...
Upvotes: 1
Views: 783
Answers (2)
Reputation: 67019
In the mobile environment the user of the application has more control over the device than you do as a developer. There is no way to hide a secret password or key. You must account for a malicious client, so be careful about the functionality that you expose.
Sending the username and password in plain text is a violation of OWASP a9. You should consider using SSL/TLS or HTTPS.
Upvotes: 2
Reputation: 211
Have you looked at openssl? SSL are cryptographic protocols that provide secure communication. SSL will prevent others from listen on the stream between your client and server.
One thing more you should do is to validate all server input, to prevent executing malicious code on your server. For example if you have a database where you store user input you should take a look at SQL injection.
Upvotes: 1
Related Questions
- Client Server Security Architecture
- Authentification and security model in client/server aplications
- Authentication between client-server and web applications
- Authenticating a client to a server
- What approach should be suitable for user authentification in simle client/server app
- Client authentication by a server
- Question on WCF Security in a Client Application
- How can I improve my client-server system's security?
- Client Server socket security
- If I wanted to authorize connections between my client apps.. how would i?