I'm starting a new project in the coming weeks but I have some questions related to the "design" of the app.
The app will be a server + database that talks to an Android app that also has it's own database (for offline use).
The connection will be used to exchange strings that are encrypted with a custom "protocol" (game network protocol encapsulated in TLS). This means that the app would have two layers of security :
My questions are the following :
(I read there were some issues with the format of the certs that was different in java and node.js. It was related to OpenSSL and the EVP_BytesToKey
function)
-- > Encrypt with Node.js Crypto module and decrypt with Java (in Android app)
--> http://olabini.com/blog/tag/evp_bytestokey/
(I don't want the decryption source-code to be visible for users to dissect the custom protocol and start developing hacks.)
(I heard some people talking about Nginx proxies, but since I'm not serving webpages does it still make sense ? Wouldn't it overload the server ?)
Thank you alot in advance !
(In) Security though obscurity does not solve the real security problems you face. What you are describing is not how games protect themselves from attack. SSL/TLS does prevent against MITM attacks, however your attacker isn't just a MITM, he is a user of your software. If the app can make the SSL/TLS connection, then the attacker can also make this connection and should assume that the attacker will always full access to the API you provide.
Cryptography cannot solve CWE-602: client side enforcement of server side security . A database merge between the client's offline database and the server is trusting the client's data, and there for a violation of CWE-602. In this attack the attacker doesn't need access to the API, he could just modify the sqlite database locally.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.