Best practice for communication between app and server when using PhoneGap/Cordova

Question

I'm working on a PhoneGap project using Ionic. It's basically a chat app, so I need the user to be able to register, login and send messages using a backend API on my server. Naturally this needs to be secure, so I'm wondering what the best way to securely communicate with an API endpoint is, when using a AngularJS and PhoneGap.

Ideally, it should not require a server cert, as currently I don't have the funds to purchase one. In previous projects, I used a method where each account was assigned an ID, and a hash consisting of a secret + their ID, which had to be included with each request to ensure that the user couldn't forge requests from another ID, however I don't know how secure this method is.

Any tips, suggestions or read material would be really appreciated. I understand this question sounds subjective, so if possible please answer based on facts, security disclosures and any documentation on methods.

Answer 1

I know the solution to all your needs and it is called Firebase .

How your requirements will be met by firebase: 1. You are using Ionic to build your hybrid app(you are cool!) and that means AngularJS. . Firebase has the perfect library called AngularFire , that uses AngularJS to interact with the firebase servers.

1. You are building a chat app, awesome! Firebase has real time syncing between your app and database. That is a lot of work saved for you by Firebase (Claps). You need to register users, Firebase has super easy user register management(both OAuth and manual registration)

2. Security! It is super important and Firebase has you covered even here. Implementing user level security is super simple using some simple json format security rules. I will quote this from the site "The safety and security of your data is our top priority. Firebase requires 2048-bit SSL encryption for all data transfer and allows you to restrict reading and writing via granular access controls and custom authentication.

All data is replicated and backed up to multiple secure locations."

1. It is free(upto some level. Do some research about it, I am not sure).

2. Your basic id + hash security measure is not bad at the same time not perfect or dependable. Firebase has you covered here through simple login and read/write rules and as well as some closed sourced security.