stackoom
  简体   繁体   中英

TLS - Node.js server to Android app

 原文  2012-07-03 00:49:22       android/ security/ node.js/ network-programming/ ssl

Question

I'm starting a new project in the coming weeks but I have some questions related to the "design" of the app.

The app will be a server + database that talks to an Android app that also has it's own database (for offline use).

The connection will be used to exchange strings that are encrypted with a custom "protocol" (game network protocol encapsulated in TLS). This means that the app would have two layers of security :

  1. TLS -> against MitM attacks
  2. Custom protocol -> against "in-game hacks", like game packet tampering

My questions are the following :

  • Is it possible to use TLS between node.js and Android ? Are there any good links on that subject ?

(I read there were some issues with the format of the certs that was different in java and node.js. It was related to OpenSSL and the EVP_BytesToKey function)

-- > Encrypt with Node.js Crypto module and decrypt with Java (in Android app)

--> http://olabini.com/blog/tag/evp_bytestokey/

  • Is there a way of obfuscating the source code of the Android app so that the custom "protocol" can be decrypted client-side safely? Or should all the magic take place server side ?

(I don't want the decryption source-code to be visible for users to dissect the custom protocol and start developing hacks.)

  • Any tips or links on increasing the security of my node.js server in general ?

(I heard some people talking about Nginx proxies, but since I'm not serving webpages does it still make sense ? Wouldn't it overload the server ?)

Thank you alot in advance !

1 answers

solution1
 1  2012-07-04 19:37:20

(In) Security though obscurity does not solve the real security problems you face. What you are describing is not how games protect themselves from attack. SSL/TLS does prevent against MITM attacks, however your attacker isn't just a MITM, he is a user of your software. If the app can make the SSL/TLS connection, then the attacker can also make this connection and should assume that the attacker will always full access to the API you provide.

Cryptography cannot solve CWE-602: client side enforcement of server side security . A database merge between the client's offline database and the server is trusting the client's data, and there for a violation of CWE-602. In this attack the attacker doesn't need access to the API, he could just modify the sqlite database locally.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Android app communicate with Node.Js server and MongoDB How to send message from node.js server to Android app? Android throws FileNotFoundException for the Node.js server Node.js Server Running on iOS/Android Android Client and Node.js Server FCM Node.js server issue android Build Android App with Node.js android app socket.io not connecting to node.js server but android browser makes connection Send a stream of integers from Android app and receive it on Node.js express server Android App Connecting to Node.js server using Socket.io
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM