Hacker News new | ask | show | jobs
by objclxt 5202 days ago
I use Parse on a couple of projects, I also work (separately, I hasten to add!) on apps for carriers with significant security issues.

I would say that you shouldn't really worry about 'sniffing' traffic, because whatever countermeasures you take chances are if someone cares enough they'll work around it.

Parse has an access-control model for objects: objects can have read/write permissions for users, groups, or everyone. For example, you might have an object in Parse representing a comment, which the owner could edit and everyone else read.

Obviously the Parse API itself is rather public, and it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.
1 comments
stephth 5202 days ago
it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.

But it's possible to edit the ACL from a client. Isn't that a potential weakness?

https://www.parse.com/docs/ios_guide#users-acls

link
lacker 5202 days ago
Editing the ACL is subject to the same access restrictions, similar to how Unix ACLs work. So, for most cases this is sufficient. If you have more complex security needs, we're glad to discuss how individual apps can be secured. Drop us a line at feedback at parse.com.
link
stephth 5202 days ago
Thanks. And I will likely do that. Before I do and if I could borrow some more of your time: would using Parse qualify an app as containing encryption, in regards to the AppStore submission/guidelines?

See this question: http://stackoverflow.com/questions/2135081/does-my-applicati...

link
lacker 5202 days ago
Parse does use https:// connections for all data, so you should take whatever action you would normally take for an application that communicates over https. That is the only form of client-side encryption used.
link