1

I´m currently designing a mobile application, and I´m having some concerns about securing the backend which runs the services for it to run.

My current planning is, using SSL and a basic workflow like this:

workflow

The generated token expires, because it assures that if someone physically access the phone/device, he cant be in control of the user account for too long, but, at the same time, I don't know what duration is appropriated for it, as I don't want to keep asking for credentials every day.

My questions are:

  1. Is this a good aproach? Would you add something else to it?
  2. Whats the ideal duration of tokens when working on mobile apps?
Mauri Lopez
  • 2,864
  • 1
  • 17
  • 19

1 Answers1

4

First thing first, you should encrypt session key when you store it on device. For example, use shared preferences with encrypt option. Further info : Android SharedPreference security

Second, you may want to implement "SSL pinning" mechanism. Which means that verify SSL certificates at client side. You must be sure about that received certificate is belongs to your backend or not. So you can protect your backend URLs and parameters with that way. Further info : https://www.infinum.co/the-capsized-eight/articles/securing-mobile-banking-on-android-with-ssl-certificate-pinning or http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

Third, your design is good. But be sure about your session key generation mechanism is not vulnerability against "Session Prediction" attacks. https://www.owasp.org/index.php/Session_Prediction

Community
  • 1
  • 1
Mehmet Ince
  • 1,298
  • 9
  • 20