SCENARIO
Hello!!
While searching, googling and reading in stack overflow about rules (backendless and code server) I stumbled in one forum where the admin of an app encounter a big trouble…
It seems the “hacker” or whatsoever call it, make DDOS attack (where hacker continuously add random user in his data) even though he had great security and follow the step by step security from the blog…
QUESTION:
how can we prevent those scenario in this backendless especially in Android App where the app can be decompile and see the API key&app key …?
1 Like
Hi @John_Aerial_Azcune!
A few things to mention:
You should not store your keys as a plain text. There are obfuscation tools that can obfuscate Strings and resources. Also you can encrypt the keys.
Review the app code. Don’t allow the user to abuse the system through your application. For example: if there is a button that creates the record in the database, limit the number of its usage. So the hacker couldnt create million of records.
Also I would recommend to read more about Data Security from official documentation:
Best Regards,
Maksym
2 Likes
Hi Maksym,
I have been thinking about your answer and I have been investigating a couple of days now how to protect our keys.
It seems that obfuscating and encrypting keys are just a temporary solution and act as a delay to not present a potential hacker with a plate of keys but giving him a menu first.
Let’s say, obfuscating is mainly using base 64 and try to invent your own method of how your string will look like after adding random numbers and using xor etc. But this is still a masquerade and not security related.
Encrypt keys is possible, with the use Android KeyStore you can store keys that can be used to encrypt and/or descrypt data with Cypher.
For example, an encrypted Backendless API key will look like 3IR8ZtPkA== in the app,
to read this a Public Key (example: with Algorithm rsaEncryption) has to be used which is stored in the Android Keystore.
So the Public key to descrypt it back to something readable, is available in the app itself.
Which has to be done before connecting to Backendless or else Backendless will not be able to “read” it.
Making this option a masquerade version 2, which I believe is not really what you want right?
Do you have an idea or suggestion how we can really make this hacker proof?
Because all the thinking and testing still did not bring me anywhere closer to the solution I am looking for.
Best regards,
Robin
Hello @Robin_van_Kuijk, @John_Aerial_Azcune
We will be happy to assist you. I need to ask you a few more questions so I can understand the problem better.
What kind of problem are you talking about, what exactly are you afraid of?
Describe a scenario that, in your opinion, can lead to undesirable consequences through malicious actions using Backendless.
Please give me a link to the problem with the DDoS attack with the stackoverflow, where Backendless is mentioned.
Hi Vladimir,
I could not find the Stackoverflow either but I did my own investigation.
John means that somebody could push random data to keep changing his username as fast as he can, like a DDOS attack.
I would prevent abnormal abuse by setting a limit on API calls somebody can do,
so you will catch this random data pusher when it reaches a 1000 API calls in and disable the account temporarily.
Reset the API counter of each user with a timer or something.
Or maybe assign a temporary user role to allow changing the username once might also help.
The thing that I am afraid of is how can I protect Backendless initApp( applicationID, apiKey ) info.
With a simple tool for reverse engineering Android apk files (apktool) you can easily retrieve this information.
As Maksym mentioned:
You should not store your keys as a plain text. There are obfuscation tools that can obfuscate Strings and resources. Also you can encrypt the keys.
Is it harmfull to Backendless when hackers get your applicationId and apiKey?
I don’t know the answer to that question, but I believe if you have to protect this information,
I would obfuscate and encrypt this to keep it safe and secure.
But unfortunately, this will only delay a hacker to retrieve the Backendless initApp( applicationID, apiKey ) information, because it depends on how dedicated they are in reverse engineering.
I hope you can answer the question that I can not and inform me (us) about the dangers in exploiting applicationId and apiKey information.
Best regards,
Robin