Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

parse.com security

Tags:

Recently I discovered how useful and easy parse.com is. It really speeds up the development and gives you an off-the-shelf database to store all the data coming from your web/mobile app.

But how secure is it? From what I understand, you have to embed your app private key in the code, thus granting access to the data.

But what if someone is able to recover the key from your app? I tried it myself. It took me 5 minutes to find the private key from a standard APK, and there is also the possibility to build a web app with the private key hard-coded in your javascript source where pretty much anyone can see it.

The only way to secure the data I've found are ACLs (https://www.parse.com/docs/data), but this still means that anyone may be able to tamper with writable data.

Can anyone enlighten me, please?

like image 429
softice86 Avatar asked Nov 10 '12 11:11

softice86

People also ask

Is parse secure?

Popular web server API framework Parse Platform is inherently vulnerable to several security vulnerabilities, security researcher Ben Heald warns. Parse is a framework, similar to Firebase, that allows developers to quickly and easily create a backend API and integrate it with their iOS and Android applications.

What is parse server used for?

The sole purpose of Parse was to demystify the process of backend development. Launched in February 2016, Parse Server is an open source version of Parse (MBaaS platform) which was originally developed by Parse Inc. It can be deployed to any infrastructure that can run node. js.

Is parse still available?

In 2014, Parse was reported to power 500,000 mobile apps. On 28 January 2016, Facebook open sourced Parse Platform and announced that it will close its Parse Hosting Service, with services effectively shutting down on 28 January 2017.

What is parse database?

What is Parse? Parse is an open-source Android SDK and back-end solution that enables developers to build mobile apps with shared data quickly and without writing any back-end code or custom APIs. Parse is a Node.

How does parse handle user login and signups?

When you log in a user via a User login method, Parse will automatically create a new unrestricted Session object in your Parse Server. Same for signups and Facebook/Twitter logins. When talking about Data Access on Parse you can control your App Security at 2 different levels:

What is parse security and the app master key?

Now you’re familiar with the main Parse Security concepts I would like to suggest some advice to make your App more secure. The Master Key is the Parse mechanism to bypass all other security layers. A good comparison is having the App Master Key for an App is like having the root access of a Server.

How do I know if my parsec is secure?

Security At Parsec 1 PASSWORDS. Parsec does NOT store plaintext passwords. ... 2 COMMUNICATION WITH THE PARSEC BACKEND. The Parsec website and application communicate session IDs and authenticated state information to the backend via HTTPS. 3 PEER-TO-PEER COMMUNICATION. ... 4 MFA. ... 5 Parsec for Teams. ... 6 PAYMENT INFORMATION. ...

What can I do with the Parse Platform?

Use for questions and high level discussions about the Parse Platform. Use for reporting bugs and making pull requests for specific repositories. The REST server and dashboard to manage your data.

2 Answers

As with any backend server, you have to guard against potentially malicious clients. Parse has several levels of security to help you with that.

The first step is ACLs, as you said. You can also change permissions in the Data Browser to disable unauthorized clients from making new classes or adding rows or columns to existing classes.

If that level of security doesn't satisfy you, you can proxy your data access through Cloud Functions. This is like creating a virtual application server to provide a layer of access control between your clients and your backend data store.

like image 52
bklimt Avatar answered Nov 05 '22 23:11

bklimt

I've taken the following approach in the case where I just needed to expose a small view of the user data to a web app.

a. Create a secondary object which contains a subset of the secure objects fields.

b. Using ACLs, make the secure object only accessible from an appropriate login

c. Make the secondary object public read

d. Write a trigger to keep the secondary object synchronised with updates to the primary.

I also use cloud functions most of the time but this technique is useful when you need some flexibility and may be simpler than cloud functions if the secondary object is a view over multiple secure objects.

like image 24
Rocket Garden Avatar answered Nov 05 '22 22:11

Rocket Garden
Sign in to Comment

Related questions

Is there any performance difference for nested document in mongodb query
How do Pratt parsers compare to other parser types and why are they used so little?
Code replacement with an annotation processor
Which OSI layer does WebSocket Protocol lay on?
Can I use JBoss EAP 6 without a support license?
Finding the dimension with highest variance using scikit-learn PCA
What does yellow background mean on object's title in Chrome's heap profiler?
How can you programmatically (or with a tool) convert .MHT mhtml files to regular HTML and CSS files?
How to get multiply blend mode on a plain UIView (not UIImage)
Why does display:block not stretch buttons or input elements
Can the "s{1} annoyance" when iterating over a cell array be avoided?
How do I get a SignalR hub connection to work cross-domain?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!