Trigger.io Security Especially for REST API -
i have thought running on mind between few days.
i using trigger.io our platform our mobile application. , using javascript our scripting language rest api.
since using javascript, codes , business relationship credentials (api key, secret key, etc.) can seen if decompile app , view source codes of it.
i wondering if trigger.io can answer, clarify , give concrete examples how create our applciation secure malicious attacks(replay attacks, side-jacking, etc.) , business relationship abused.
thanks!
key security big concern app runs on user's device.
pulling keys out of trigger.io app may marginally easier pulling keys out of compiled native app, because javascript less obfuscated compiled code. if you'd prefer have keys in compiled code, might consider native plugin releases keys js - http://docs.trigger.io/en/v1.4/modules/native/.
however, wouldn't recommend because it's still possible pull secret keys out of compiled code - obfuscating keys in binary insufficient frustrate determined hacker.
the way around problem know of not include secret keys in app itself, have user go through interactive authentication step. 1 time that's happened , know you're talking to, server can release necessary keys app.
api security rest authentication trigger.io
No comments:
Post a Comment