Menu
Recently I discovered how useful and easy parse.com is. It really speeds up the development and gives you an off-the-shelf database to store all the data coming from your web/mobile app.
But how secure is it? From what I understand, you have to embed your app private key in the code, thus granting access to the data.
But what if someone is able to recover the key from your app? I tried it myself. It took me 5 minutes to find the private key from a standard APK, and there is also the possibility to build a web app with the private key hard-coded in your javascript source where pretty much anyone can see it.
The only way to secure the data I've found are ACLs (https://www.parse.com/docs/data), but this still means that anyone may be able to tamper with writable data.
Can anyone enlighten me, please?
429
Popular web server API framework Parse Platform is inherently vulnerable to several security vulnerabilities, security researcher Ben Heald warns. Parse is a framework, similar to Firebase, that allows developers to quickly and easily create a backend API and integrate it with their iOS and Android applications.
The sole purpose of Parse was to demystify the process of backend development. Launched in February 2016, Parse Server is an open source version of Parse (MBaaS platform) which was originally developed by Parse Inc. It can be deployed to any infrastructure that can run node. js.
In 2014, Parse was reported to power 500,000 mobile apps. On 28 January 2016, Facebook open sourced Parse Platform and announced that it will close its Parse Hosting Service, with services effectively shutting down on 28 January 2017.
What is Parse? Parse is an open-source Android SDK and back-end solution that enables developers to build mobile apps with shared data quickly and without writing any back-end code or custom APIs. Parse is a Node.
When you log in a user via a User login method, Parse will automatically create a new unrestricted Session object in your Parse Server. Same for signups and Facebook/Twitter logins. When talking about Data Access on Parse you can control your App Security at 2 different levels:
Now you’re familiar with the main Parse Security concepts I would like to suggest some advice to make your App more secure. The Master Key is the Parse mechanism to bypass all other security layers. A good comparison is having the App Master Key for an App is like having the root access of a Server.
Security At Parsec 1 PASSWORDS. Parsec does NOT store plaintext passwords. ... 2 COMMUNICATION WITH THE PARSEC BACKEND. The Parsec website and application communicate session IDs and authenticated state information to the backend via HTTPS. 3 PEER-TO-PEER COMMUNICATION. ... 4 MFA. ... 5 Parsec for Teams. ... 6 PAYMENT INFORMATION. ...
Use for questions and high level discussions about the Parse Platform. Use for reporting bugs and making pull requests for specific repositories. The REST server and dashboard to manage your data.
As with any backend server, you have to guard against potentially malicious clients. Parse has several levels of security to help you with that.
The first step is ACLs, as you said. You can also change permissions in the Data Browser to disable unauthorized clients from making new classes or adding rows or columns to existing classes.
If that level of security doesn't satisfy you, you can proxy your data access through Cloud Functions. This is like creating a virtual application server to provide a layer of access control between your clients and your backend data store.
52
I've taken the following approach in the case where I just needed to expose a small view of the user data to a web app.
a. Create a secondary object which contains a subset of the secure objects fields.
b. Using ACLs, make the secure object only accessible from an appropriate login
c. Make the secondary object public read
d. Write a trigger to keep the secondary object synchronised with updates to the primary.
I also use cloud functions most of the time but this technique is useful when you need some flexibility and may be simpler than cloud functions if the secondary object is a view over multiple secure objects.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
