Hacker News new | ask | show | jobs
by fberger 5202 days ago
Last time I looked at parse I think it used basic http auth over https to authenticate clients.

Having seen how easy it is to look at the plain traffic a mobile app sends with http://mitmproxy.org/ I would have concerns to use this.

Or is there some per user authentication?
2 comments
objclxt 5202 days ago
I use Parse on a couple of projects, I also work (separately, I hasten to add!) on apps for carriers with significant security issues.

I would say that you shouldn't really worry about 'sniffing' traffic, because whatever countermeasures you take chances are if someone cares enough they'll work around it.

Parse has an access-control model for objects: objects can have read/write permissions for users, groups, or everyone. For example, you might have an object in Parse representing a comment, which the owner could edit and everyone else read.

Obviously the Parse API itself is rather public, and it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.

link
stephth 5202 days ago
it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.

But it's possible to edit the ACL from a client. Isn't that a potential weakness?

https://www.parse.com/docs/ios_guide#users-acls

link
lacker 5202 days ago
Editing the ACL is subject to the same access restrictions, similar to how Unix ACLs work. So, for most cases this is sufficient. If you have more complex security needs, we're glad to discuss how individual apps can be secured. Drop us a line at feedback at parse.com.
link
stephth 5202 days ago
Thanks. And I will likely do that. Before I do and if I could borrow some more of your time: would using Parse qualify an app as containing encryption, in regards to the AppStore submission/guidelines?

See this question: http://stackoverflow.com/questions/2135081/does-my-applicati...

link
lacker 5202 days ago
Parse does use https:// connections for all data, so you should take whatever action you would normally take for an application that communicates over https. That is the only form of client-side encryption used.
link
lacker 5202 days ago
There is per-user authentication. The PFUser class (in iOS, Android is ParseUser) handles this sort of authentication automatically for you, and there are also hooks to do it with a bit more effort through the REST API.

https://parse.com/docs/ios/api/Classes/PFUser.html

If you have more specific questions about how to use this for an app, feel free to drop us a line at feedback at parse.com.

link