How to allow only the apps we create to access our online content?

Solar2D General Questions/Discussion
#1

Hi,

I would like to have an app that access the content on my server. My concern is that someone can build an app and access the content on my server too.

How can we make sure that only app we created can access the content on our server? What comes to my mind is to use https but then I may have to hardcoded username and password in the app itself and that mean someone can hack it to get this credential.

Can we do app authentication? Things like the server check if the request is coming from the app that was built using the certificate we used to sign the app.

Could you please share me your experience or hint or point me to a link on how to do this? I have tried to search the forum too but no luck so far.

Thank you.

So Lin

#2

Corona team,

Any suggestion on this? The forum seems quiet these days, are you guys so busy with the release of new iphone and ios?

So Lin

#3

There are a lot of different forum threads talking about security and the tools Corona provides to developers so that we can secure our apps. Don’t forget that Corona engineers do provide a lot of info on these kinds of server topics, but since they don’t actually support our server installations, they can’t be expected to always provide situational troubleshooting.

#4

Hi Alex,

Thank you for sharing the link to other forum posts. If I used OpenSSL to encrypt data that need to be passed back and forth between the app and the server, is it safe  or how secure is it to store (hardcoded) the encryption key on the device?

So Lin

#5

I’m nothing close to an expert on cybersecurity so I can’t give you an answer there. I’d suggest doing more research to find out the solution that best suits your needs. Remember that the only person liable here is you; make sure to evaluate any option that is suggested so that you are comfortable with it.

#6

Hi Alex,

You’re right that I have to decide it on my own but I’m trying to get suggestion, ideas, and best practices if any from the forum and so far I still can’t find a reliable/best practice. Moreover it has come to my surprise that Corona staffs haven’t shared any suggestion on this and I’m wondering if Corona can provide solution to the problem I describe in my first post.

Well, I have tried OpenSSL with below code

local openssl = require("plugin.openssl") local cipher = openssl.get\_cipher("aes-256-cbc") local v\_cryptText = "myEncryptedtext" local v\_cryptKey = "mySuperkey" local encryptedData = cipher:encrypt(v\_cryptText, v\_cryptKey) print(encryptedData)

and run $strings resource.car

plugin.openssl

get_cipher

aes-256-cbc

myEncryptedtext

mySuperkey

encrypt

print

The key is there. So storing the encryption key on device is not secured, though we can make it harder to find ( But I’m not quite sure what techniques can be used).

Alright, I’ll research more on this and I’m also thinking about using SSL to create a secure connection between the app and the server (content provider) then implement some logics inside to the app to communicate with the server, if the app is talking the same language then the server can push the content to the app (or the server allow the app to pull the content). In this case the villain has to figure out the logics.

So Lin

#7

Corona team,

Any suggestion on this? The forum seems quiet these days, are you guys so busy with the release of new iphone and ios?

So Lin

#8

There are a lot of different forum threads talking about security and the tools Corona provides to developers so that we can secure our apps. Don’t forget that Corona engineers do provide a lot of info on these kinds of server topics, but since they don’t actually support our server installations, they can’t be expected to always provide situational troubleshooting.

#9

Hi Alex,

Thank you for sharing the link to other forum posts. If I used OpenSSL to encrypt data that need to be passed back and forth between the app and the server, is it safe  or how secure is it to store (hardcoded) the encryption key on the device?

So Lin

#10

I’m nothing close to an expert on cybersecurity so I can’t give you an answer there. I’d suggest doing more research to find out the solution that best suits your needs. Remember that the only person liable here is you; make sure to evaluate any option that is suggested so that you are comfortable with it.

#11

Hi Alex,

You’re right that I have to decide it on my own but I’m trying to get suggestion, ideas, and best practices if any from the forum and so far I still can’t find a reliable/best practice. Moreover it has come to my surprise that Corona staffs haven’t shared any suggestion on this and I’m wondering if Corona can provide solution to the problem I describe in my first post.

Well, I have tried OpenSSL with below code

local openssl = require("plugin.openssl") local cipher = openssl.get\_cipher("aes-256-cbc") local v\_cryptText = "myEncryptedtext" local v\_cryptKey = "mySuperkey" local encryptedData = cipher:encrypt(v\_cryptText, v\_cryptKey) print(encryptedData)

and run $strings resource.car

plugin.openssl

get_cipher

aes-256-cbc

myEncryptedtext

mySuperkey

encrypt

print

The key is there. So storing the encryption key on device is not secured, though we can make it harder to find ( But I’m not quite sure what techniques can be used).

Alright, I’ll research more on this and I’m also thinking about using SSL to create a secure connection between the app and the server (content provider) then implement some logics inside to the app to communicate with the server, if the app is talking the same language then the server can push the content to the app (or the server allow the app to pull the content). In this case the villain has to figure out the logics.

So Lin