I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
My congratulations for this very well accomplished and detailed article.
In your docs:
A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections.
If I am allowed, and in the context of Mobile Apps, I would like to make call of attention on this note.
Implementing Htpps does not completely avoid a MitM attack, just makes it hard to accomplish, because users can be tricked to install an attacker supplied SSL certificate or a mobile app that contains malicious code in the form of an instrumentation framework, like Frida or xPosed. Attackers normally do this with captive portals for free wifi in public spaces, through social engineering or by publishing malicious apps in the app store.
So I would recommend the use of certificate pinning to protect against MitM attacks, that raises the bar to perform a MitM attack.
I say it raises the bar, because an attacker can use the already mentioned instrumentation frameworks to hook at run-time into the mobile app and bypass the certificate pinning protection.
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
My congratulations for this very well accomplished and detailed article.
In your docs:
If I am allowed, and in the context of Mobile Apps, I would like to make call of attention on this note.
Implementing Htpps does not completely avoid a MitM attack, just makes it hard to accomplish, because users can be tricked to install an attacker supplied SSL certificate or a mobile app that contains malicious code in the form of an instrumentation framework, like Frida or xPosed. Attackers normally do this with captive portals for free wifi in public spaces, through social engineering or by publishing malicious apps in the app store.
So I would recommend the use of certificate pinning to protect against MitM attacks, that raises the bar to perform a MitM attack.
I say it raises the bar, because an attacker can use the already mentioned instrumentation frameworks to hook at run-time into the mobile app and bypass the certificate pinning protection.
Thank you for the note Paulo! This is great advice, but from the latest updates I see it looks that this feature is not implemented to the Parse SDK so I'm afraid that this is not possible for now:
github.com/parse-community/Parse-S...
github.com/parse-community/Parse-S...
From a security point of view certificate pinning should be treated as a first class citizen in any mobile app or SDK for a mobile app.
I hope that the weekly data breaches that occur all over the world and the GDPR fines in Europe will help to change this mindset across our industry.