-1

I'm building a Phonegap mobile application in which I want the users to be able to check into locations. I can get the users location and post it to my API and all of that's working. What I'm looking for is some way to prevent spoofing the call to the API.

My current thinking is that I could have a shared private key in the mobile app and on the server. I would then hash(?) the users location with that key client side, post that, and then use the same key server side to restore the data.

jdehlin
  • 8,485
  • 3
  • 18
  • 33
  • Once somebody finds the private key, the jig's up! – Pointy May 14 '13 at 22:40
  • That's my concern. I'm not convinced that the key would be secure client side. I'm hoping someone else has a smarter idea than my admittedly naive mechanism. – jdehlin May 14 '13 at 22:51
  • 1
    Also, similar question a out key storage on andriod: http://stackoverflow.com/questions/3339870/android-secure-storage – nathan-m May 14 '13 at 23:05

1 Answers1

1

It's very difficult to completely secure a piece of software that must run on the end users device if they have full access to the device.

Usually the primary concern for security is securing the end user from external threats.

Ensure that you are using SSL/HTTPS, this will slow down either type attacker. Also ensure your server wont respond on Plain http.

You can harden your HTTPS implementation by keeping a hash of the certificate and having a strategy for when it changes. eg. if someone is trying to MITM on their own network to view the protocol, or rather mundanely if your certificate was expiring and you renewed it.

With the channels of communication "secured", and no way to prevent an attacker full access to your source code and encryption keys; the only way left is obfustication.

Basically, set up one or two layers of protection (depending on how critial it is), and then build a detection mechanism in to the API endpoint to alert you to hacking attempts.

nathan-m
  • 8,887
  • 2
  • 16
  • 29