I'm starting a new project in the coming weeks but I have some questions related to the "design" of the app.
The app will be a server + database that talks to an Android app that also has it's own database (for offline use).
The connection will be used to exchange strings that are encrypted with a custom "protocol" (game network protocol encapsulated in TLS). This means that the app would have two layers of security :
- TLS -> against MitM attacks
- Custom protocol -> against "in-game hacks", like game packet tampering
My questions are the following :
- Is it possible to use TLS between node.js and Android ? Are there any good links on that subject ?
(I read there were some issues with the format of the certs that was different in java and node.js. It was related to OpenSSL and the EVP_BytesToKey function)
-- > Encrypt with Node.js Crypto module and decrypt with Java (in Android app)
--> http://olabini.com/blog/tag/evp_bytestokey/
- Is there a way of obfuscating the source code of the Android app so that the custom "protocol" can be decrypted client-side safely? Or should all the magic take place server side ?
(I don't want the decryption source-code to be visible for users to dissect the custom protocol and start developing hacks.)
- Any tips or links on increasing the security of my node.js server in general ?
(I heard some people talking about Nginx proxies, but since I'm not serving webpages does it still make sense ? Wouldn't it overload the server ?)
Thank you alot in advance !
