3

I am looking for some inputs for an enterprise mobile application architecture. It is a for large organization with with hundreds of existing SOAP based web-services for consumption by web based application. We use service accounts for application to web-service authentication and authorization (Application-N with a specific username and password to communicate with web-service-N). These apps are hosted at Android market and iTunes (iPad and Android apps). We also have a need of SAML based SSO for these mobile apps (OAuth is not entertained at the moment).

I am proposing a web-based integration approach for consumption of these web-services from these apps along with a proxy server to intercept these requests from mobile apps. So, the flow would be:

  1. Mobile app communicates with proxy server using HTTP and JSON.All the SAML SSO workflow is handled by mobile app, service provider which is proxy server and identity provider server.
  2. Proxy server communicates with web-services using service account and marshalls and unmarshalls the requests and responses to JSON.

The advantage with this approach is:

  1. Cross platform mobile application development due web-based approach as pointed by: What work has been done on cross-platform mobile development?
  2. Easier SAML based security integration due to HTTP protocol as opposed to SOAP.

I also see the following issues with SOAP for this project:

  1. Some hack to use the SAML authentication within SOAP request?
  2. Since web-service authentication is done using service accounts, so you need to embed password for the web-service with mobile application's code, which I see it as security issues
  3. Marshalling and un-marshalling SOAP requests and response is expensive compared to JSON for mobile device.
  4. Since we need to embed the secret(password) in device to communicate with web-service, which is a security issue. http://www.performantdesign.com/2009/09/03/facebook-iphone-session-proxy-in-php-fbsession-getsessionproxy/ So this app-server acts as session proxy.

Is this makes sense? Any flaws with this approach?

Many thanks in advance

Community
  • 1
  • 1
anonmys
  • 419
  • 1
  • 8
  • 18

1 Answers1

1

In all reality the protocol that you choose isn't going to affect the number of vulnerabilities or design flaws a developer is going to implement. You can build a very secure API using any technolgoy.

The real strength of SOAP is that the WSDL file can be used to build automated security tests against the service. So when the developer makes a mistake, you can detect it. Before you release a new version of the API make sure test the code with something like WSFuzzer.

SOAP also has features such as encryption and authentication built into the protocol so you don't have to reinvent the wheal.

rook
  • 66,304
  • 38
  • 162
  • 239
  • You seems to be recommending SOAP based integrate directly with device? If so, how can I leverage the SAML based identity provider, which understand HTTP protocol and second is how about the cross platform mobile development (please look at the link above, which talks about web-based approach for mobile app development to make it cross platform). – anonmys Sep 10 '11 at 20:04
  • there is one more issue I see with SOAP based approach in this context is, since we use the service accounts to authenticate web-service consumer and that means we need to embed the password in the mobile application, which is a security issue. – anonmys Sep 10 '11 at 20:09
  • @anonmys you cannot rely upon a secret in the device, perhaps you are looking for "Security though obscurity" – rook Sep 10 '11 at 20:15
  • here is what I am talking about, I don't want to embed my secret into application. http://www.performantdesign.com/2009/09/03/facebook-iphone-session-proxy-in-php-fbsession-getsessionproxy/ So the approach I am thinking about it session proxy. – anonmys Sep 10 '11 at 22:39