Securing communication [Authenticity, Privacy & Integrity] with mobile app?

Question

An Android/Iphone app will be accessing application data from the server. [Django-Python]

How can I secure the communication with the mobile app ?

Expec

Answer 1

SSL does have two way authentication as already mentioned by the other commenters. But, I do not think you even should try to authenticate the client, aka the app. You only authenticate the user (resource owner in Oauth terms) not the agent or client.

It is a fact that mobile apps cannot hold any secrets. So never put certificates/ passwords on the device. Typical bad example would be to save the username and password in some system keystore, such as IOS keychain. If the app user does not set password on the phone, the entire keystore is saved in plain text and anyone can dump all information. Embed a certificate in the app is almost equally bad as unlike a server, mobile phone is not locked in a computer room. People do lose them.

On that basis, you need a token based solution, so that the app does not need to hold secrets. You pass on the secrets (user login credentials) and clear them out from memory immediately. You only need to hold the token, which will be short lived (expires in 30 mins etc.)

Oauth 2.0 Implicit flow is designed to solve this problem. However, its a far from perfect. And there are some fundamental issues with the Oauth 2.0 spec. Especially, implementing this flow requires the app to use UIWebView (embeded browser), which itself can be insecure and bad user experience. So this pretty much eliminates all redirection based flows. The only well known app that uses OAuth 2 redirection flow is facebook, and its done badly.

OAuth 2.0 Resource Owner flow is one option. With this flow, your entire systems security level can be as high as B2C solution -- browser based online banking solution as an example. This means anyone with the username password will be able to access the resources on the server -- the same level of security for a browser based solution.

However, you still need to be careful, as mentioned before, the OAuth 2 spec has some fundamental issues -- in this case, you cannot follow its spec to implement the token refresh logic -- that typically involves using a never-expire refreshing token-- which can be seen as Google's OAuth 2 implementation. That token then becomes a secret itself -- defeats the purpose of using OAuth.

One workaround is to auto-renew the token based on last activity.

Anyway, mobile app security is not a new topic at all but sadly we still do not have any standard tools/mechinisms to solve those unique challenges.

Thats why banks pay millions to do their mobile banking solution and yet they still fail(http://hothardware.com/News/Mobile-Banking-Apps-for-iOS-Vulnerable-to-Man-in-the-Middle-Attacks/) ;-)