Ionic + oAuth. Secure enough?


#1

Currently i’m looking at making my next project with Ionic. Basically its a simple app with mostly data retrieval from an API (probably Azure or PHP REST) but i want to add a user-component to add/update information and make the app itself also available on the web. Now i know that all of the code of ionic will then be available in the sourcecode of my webpage so i need to make sure the users cannot simply bend my app to change or remove database entries.

Possible modules to use are https://github.com/TerryMooreII/angular-azure-mobile-service and https://github.com/rheckart/angularjs-service-azuremobileservices

One of the solutions i’ve read about on the web is by using oAuth to register and login my users. By using that token i know who’s who and thus who can make what database-calls. Another would be to use PHP to sign my users in and provide a custom login or use NodeJS as a backend.
But since i’m using Angular for my client-side rendering, i need to make sure this is a safe way of doing things. Now i’m not really experienced with oAuth or NodeJS so there will be lots of trial and error on that part but if it can easily be modified to break my app or my database.

So in short: will using oAuth provide my app with enough protection to implement a user service and enable me to also run this as a website? Or do i need to rely on modifications (for either Mobile or the web-version) to increase protection and prevent abuse?

Its not that i’m making an app that needs to be bulletproof. I’m not dealing with payments and not dealing with other sensitive data but i don’t want my app to break by some scriptkiddy all because i wasn’t aware of the possible security breach.


#2

The main problem I have with Oauth(2) and JS app is that your client secret key is visible and accessible, so it’s not safe.
Maybe there is a way to save the client secret key inside the mobile with Cordova in an unreachable storage, but I don’t know how to do it.


#3

But do you need that client-key all the time? And wouldn’t a simple API call get rid of that need? Say i combine it with my API or reroute every request via a page that combines the request with my secret key (but keep it serverside), wouldn’t that solve my problem? I need to call my API anyways. Still, if you protect API well enough to not simply execute your requests but also check if the user itself is legit, wouldn’t that be enough?

One of the reasons i wanted to use Azure is that it handles my oAuth signing as you only need the application key and url to authenticate the users. It doesn’t need the client key (although i’m not sure if this app key is the same as your client key) as far as i can see. See the documentation of the two angular plugins i posted

You’ve hit the mark by the way with what i was thinking to be the key security risk


#4

How is your login working in the App?
On first request give the user a key or token that is unique and only works when userid + token +key are in the same request.
If you want your web version to be protected I would say: detect if the app is logged in from an app or the browser and in case of web store the userdata in a session and in the database and validate on each request.


#5

Hmm interesting, but then i cannot use the provided modules and need to make a custom solution. And i was trying to avoid that.


#6

oAuth is good enough for an app that doesn’t have critical data or have to meet any type of compliance (OSHA, PCI, etc). If it is critical or there is compliance I wouldn’t recommend a hybrid app at all. I’ve worked on projects where the requirements had us implementing straight C/++ via the Android NDK to meet compliance (which involved requesting and consuming Kerberos tokens with LDAP, encrypted sockets, and running off an SD card). That is probably overkill for your needs. But still, the point I am getting at is that there is little to any dev being done to provide javascript interfaces for native components that offer real security (tho Crosswalk’s SIMD looks really promising…NEON from ChromeView? yes please…) The amount of work to achieve something similar in a hybrid…well honestly I couldn’t tell you if that is an achievable goal. The scope is just overwhelming. Hybrid apps can also be decompiled to an extent where some javascript can be exposed (even with packaging, obfuscation, minimization, etc…).

To sum up, I would argue that there really shouldn’t be a high expectation of security from a hybrid app - just about as much as you would viewing a web site from an older browser in a public library (FYI the ciphers available on Android 4.2.x > are crippled but are fine in ChromeView in 4.2.x and above…in other words any encryption done in a WebView is using a broken cipher by default, you have to tell it explicitly and still, no promises cos the adversary probably has a freezer). Cold boot attacks aside I could go on and on giving you other examples but I hope you get what I am driving at. These concerns apply to native apps as much as hybrid, hybrid is just a much easier target.

But really, I don’t want to paint a bad picture here. I love hybrid app development and oAuth is great. All the big boys rely on it (Fb, Twitter, Google, etc). If you want something that “works” out of the box and are comfortable with PHP I would recommend Drupal with the modules Services and oAuth. I’ve used Drupal as a backend for a few projects in the past and it performed flawlessly (and I know Drupal is a dirty word to some but they have one of the best security squads in the FOSS space IMHO). I’m currently working on my first Ionic app with a Drupal backend using oAuth and a REST interface via Services and it’s working great.


#7

The main reason for not going native is because i don’t have the proper knowledge to do so. I’m fairly good with HTML/CSS/JS and since a few months also in AngularJS. But i only used it for projects that didn’t require authentication or where somebody else provided the signing in via cordova plugins.

Another big reason is that its a fairly simple app that shouldn’t be much time to make. It will probably take me a week or so to design, setup, style, code and test. So apart from the authentication it should be pretty easy.

I haven’t used Drupal in a while but i’ll take a look. However i found that using Azure with their Mobile Services provides a similar approach and perhaps the authentication is similar as you can also add oAuth providers (which i will do). So using either Drupal or Azure seems about the same which makes me wonder if this solution (with Azure) will be safe enough for using in both hybrid apps as normal website.


#8

I created a easy to usse lib for Headless Drupal API => ng-drupal-7-services. Maybe it is helpful for your next project. :slight_smile:


#9

Hi @catatonicrelaps,
could you share some of you oauth depending angular code? Would be interesting to see how you did it. :slight_smile: