2

Good evening,

I am creating an Android Application with a Django based server to interface this App with the central databases where information is stored.

I read this article CSRF in Mobile Applications that mentions that Apps are CSRF safe, so I don't need to guard my server against this kind of attacks.

But what if I'm thinking of (in the future) expanding this project so the user can use both the Android app and a website to see and modify his information. What is the best strategy than?

Should I keep separate sessions in the browser, differentiating between website users and the android app ones and check for csrf tokens only in the website ones? Or should I create a completelly separate website from this server, and make only the website csrf protected? Or even, should I keep the csrf protection on and treat it in the android app?

Thank you for the help,

--- Edit ---

@petkostas suggested that I used a REST architecture. I've been reading about REST and, so far as I understood it, there's no sessions kept in it.

So, if REST is your suggestion, how would I keep some of the data safe to only some of the users, change the architecture so I have sessions, or request the username and login from the user at every request (this seems like a bad alternative, because I would have to send sensitive information (password) in every request)?

Community
  • 1
  • 1
t.pimentel
  • 1,465
  • 3
  • 17
  • 24
  • 1
    Your problem yields for an API service layer, go with a REST layer (tastypie, Django REST framework etc), it should cover most of your needs (user authentications, integrity and API exposing). – petkostas Aug 05 '14 at 07:12

3 Answers3

5

I have a very similar use case: android app, ios app and web app (AngularJS).

Solved it with a REST API (using Django Rest Framework (DRF)) that uses two different authentication methods:

The settings are quite simple:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
    # (...)
}

In your case, I would use DRF with TokenAuthentication, while knowing that you can add more auth methods when you need it.

David Arcos
  • 5,957
  • 5
  • 30
  • 39
2

From my experience with Django REST framework, you can add more than one authentication method. You can use token authentication in your app, and then use session authentication for your web application. You can read more at their site: http://www.django-rest-framework.org/api-guide/authentication

I'm sure any other rest framework has a similar implementation.

user1658078
  • 132
  • 5
0

Provide separate views for the application and the browser. Require that the application passes a special header that the browser does not normally send. Require that the browser passes the regular CSRF protection that Django comes with. This way you will make sure that a malicious website cannot force a browser to access one of your API endpoints and execute a CSRF. (Note that it's still possible to inject custom headers when issuing AJAX requests with JS so you might want to either detect those or choose a header like User-Agent.)

patrys
  • 2,729
  • 17
  • 27