0

I am currently working on an internal Phonegap app for Android. The app will point to html files stored on our companies public facing windows web server. This app will give workers access to files and information stored on our servers.

The data they will be accessing would not be considered super sensitive data, but it still needs to stay private.

In an effort to make the app as simple as possible, it would be nice if users were not forced to login. Would it be considered "secure enough" to publish the HTML files at an unguessable url? The url would be programmed into the app, and the app would only be install on phones we specify.

mikmik
  • 31
  • 4
  • 3
    This is a pretty vague question. What does "secure enough" mean? Perhaps this is a question for your company's security team. – Ted Hopp Jan 23 '12 at 22:21
  • Sorry for the vagueness. I meant "secure enough" for our situation, which means we are willing to take risks in exchange for simplicity, as long as we are not leaving an obvious open door. I am the security team, very small company. – mikmik Jan 25 '12 at 01:59

3 Answers3

2

Security through obscurity is rarely the answer. I'll answer No.

You should do something that authenticates the app before allowing access to the files. This doesnt mean the user has to log in, just that the app has access.

John Boker
  • 82,559
  • 17
  • 97
  • 130
  • Not the same exact question, but something similar http://stackoverflow.com/questions/5340252/how-can-i-design-a-secure-api-authentication-for-mobile-apps-to-access-a-service – John Boker Jan 23 '12 at 22:30
1

Anyone with a packet sniffer would be able to divine the urls in question if the app is used over a public Wi-Fi. If the word private is even being mentioned then I would say that security through obscurity isn't going to cut it. Could you cache the credentials so that users only need to enter them once (or once a month)?

cesarislaw
  • 1,589
  • 1
  • 11
  • 21
0

By secure enough, it sounds to me that you should be considering a hard to guess URL. This can be accomplished by using GUIDs in the URL to your resources. This is only as secure as the connection so if you are using HTTP, anyone in the middle can see the URL and then get to the resources. If that is an issue, you should consider using HTTPS.

Scott Smith
  • 1,823
  • 17
  • 15