Coronium Core security question

Hello

As I understand you can use core.data.* methods from client without any authorization token.

I assume coronium server have this API opened by default, so if some bad guy will got my server address (from decompiled sources or using traffic sniffer) he can run any operations: for example delete all users\data.

So from security perspective could it be possible to restrict client operations:

1. Unauthorized client can perform only register and login operations

2. New users have access to save\read\delete data only in scope of this user

Any thoughts how to achieve it with Coronium?

Hi,

There are a couple things going on that protect your users, and calls in general.

#1. You want to be using a secured certificate, it’s free and fairly simple to set up, this will handle the traffic sniffing.

#2. Each server instance has a unique server key. This server key and your data are sent over the wire as a specialized encrypted request similar to how Amazon Web Services does (using a method I will not reveal). Even if by chance someone did sniff your query (again see #1), by the time is was determined, that same request would be invalid if someone tried to reissue it.

#3. You can only delete a user with the users unique identifier. Which means a user would need to “login” first before that can even be obtained. This requires the users password which is also encrypted in the database. Not even you as the developer can determine a users password. So in essence only the user has permissions to edit and delete their own information. 

#4. Use the email confirmation feature to handle valid registrations.

Generally, unless your handling some type of payment data (which you should leave to a third party) the effort it would take to mess with your users is not going to be worth it. Also, there is no way to access the user API without the Corona client.

In the event that someone was able to compromise your setup (very unlikely) then you can regenerate the server key as a last fail-safe.

Though nothing is 100% secure in todays world, hackers tend to go for targets that will reward them financially. Leave that to a third party.

If you have any other questions, feel free to ask.

-dev

Hi,

Basically, both of your questions are already handled by the user module.

-dev

Thanks for quick responce!

I understood that delete user form user api require unique ID. But I confused with example of core.data usage:

https://develephant.github.io/coronium-core-docs/client/modules/data/#delete
 

core.data.delete({source="users", id="id1234"}, apiListener)

Seems like this request can be executed without login and you can retrieve ids of another users via:
 

local params = { source = "users", page = 1, perPage = 10 } core.data.getPage(params, apiListener)

I can’t test it right now, but from documentation it looks like I can manipulate users using core.data on client?

Hi,

The users module uses MySQL, where as the core.data module is Mongo. There is no access to the users through any of the database methods.

If you wanted to build your own user system, you would want to do that with a custom server-side api. The core.users module should be able to handle most needs though.

I did do another security audit and patched up a few things in the 2.3.1 upgrade/release. At this time there is no way to manipulate any user based data except through the users module.

-dev

Hello,

I did tests by myself and realized that users module and users table in example have different users.

I interested is it possible to build login via facebook: I imagine I need to get userId and accessToken and post it to custom api. But on server side I need to create my own table (i.e. myCustomUsers) and then I will see no statistic on webmin/#/users

So finally I deleted my user from coronium using simulator, server address, key and scope:
 

local params = { db = "coronium", tbl = "cc\_users", where = "1=1" } core.mysql.delete(params, apiListener)

Can I somehow protect my users from deletion?

Hi,

That’s no longer possible with the new update: https://forums.coronalabs.com/topic/71527-coronium-core-version-231/

Additionally, it’s your responsibility to keep your server key safe.

-dev

Hi,

Also, when creating a user, you can add extra metadata which might be helpful when using Facebook Login.

https://develephant.github.io/coronium-core-docs/client/modules/users/creating/#basic-w-extra

-dev

Hi,

Unless you plan on starting with a fresh install of 2.3.1, you’ll need to follow these instructions to update your 2.3.0 install:

https://develephant.github.io/coronium-core-docs/server/updates/#230-to-231

Hope the helps.

-dev

Thanks, downloading it now

Hey, probably you want to protect ‘sys’ and ‘mysql’ databases too?

Also I vote for “whitelist” feature: specify whitelist of databases, that could be available from client. It will help to keep data safe

Sorry for a lot of messages, but you failed my security check again.
 

local params = { db = "mysql", tbl = "db", where = "1=1; USE coronium; delete from cc\_users;" } core.mysql.select(params, apiListener2)

Hi,

Thanks for the additional tests. I will look into a whitelist option and shore up the additional databases.

As it stands, without your source files, someone would have go through quite a lot of trouble just to remove your users.

-dev

Hi,

This update should suppress client-side injections: https://develephant.github.io/coronium-core-docs/server/updates/#230-to-232

All system databases are now blacklisted. I will be reworking the database permissions in the near future as well.

-dev

Thanks

I would like to have separate db user for client requests. So I will be sure that client can’t drop tables or do other harmful things

That is my plan, but I probably won’t get to it until next week.

-dev

Hi,

There are a couple things going on that protect your users, and calls in general.

#1. You want to be using a secured certificate, it’s free and fairly simple to set up, this will handle the traffic sniffing.

#2. Each server instance has a unique server key. This server key and your data are sent over the wire as a specialized encrypted request similar to how Amazon Web Services does (using a method I will not reveal). Even if by chance someone did sniff your query (again see #1), by the time is was determined, that same request would be invalid if someone tried to reissue it.

#3. You can only delete a user with the users unique identifier. Which means a user would need to “login” first before that can even be obtained. This requires the users password which is also encrypted in the database. Not even you as the developer can determine a users password. So in essence only the user has permissions to edit and delete their own information. 

#4. Use the email confirmation feature to handle valid registrations.

Generally, unless your handling some type of payment data (which you should leave to a third party) the effort it would take to mess with your users is not going to be worth it. Also, there is no way to access the user API without the Corona client.

In the event that someone was able to compromise your setup (very unlikely) then you can regenerate the server key as a last fail-safe.

Though nothing is 100% secure in todays world, hackers tend to go for targets that will reward them financially. Leave that to a third party.

If you have any other questions, feel free to ask.

-dev

Hi,

Basically, both of your questions are already handled by the user module.

-dev

Thanks for quick responce!

I understood that delete user form user api require unique ID. But I confused with example of core.data usage:

https://develephant.github.io/coronium-core-docs/client/modules/data/#delete
 

core.data.delete({source="users", id="id1234"}, apiListener)

Seems like this request can be executed without login and you can retrieve ids of another users via:
 

local params = { source = "users", page = 1, perPage = 10 } core.data.getPage(params, apiListener)

I can’t test it right now, but from documentation it looks like I can manipulate users using core.data on client?