Securely storage - windows-phone-8

My app contain a security key which I need to send every time I call web service.
The code is not provided by the user, it's in the code and it won't be changed.
For now I store the key as a string in code.
I need to store it somewhere, the ideal solution would be .config file where I could store it in appSettings and I could also encode the file. I know that there is not such a file available in WP, but what is the WP alternative.
Do you know any way I can securely store the security key?
Thanks in advance.

Instead of securely storing the key with your xap, use your server to distribute key to the app.
When your app opens for the first time, get the key from server, encrypt it and store it in IsolatedStorageSettings. For subsequent app sessions, decrypt and use the same.
The current scenario is, all XAPs on store are encrypted and there is no way to get access to your dll without interop unlock. However, if you are not doing a Silverlight application and instead do a WinRT application, the APPX package is not encrypted and anyone can download it from the store.
If you are going with a Silverlight app, it is secure enough to put the key in IsolatedStorageSettings after encrypting. If it is a WinRT app, you can get the key from your server.

Related

Best Practice to Store API tokens

I am working with an API for automating tasks in a company I work for.
The software will run from a single server and there will only one instance of the sensitive data.
I have a tool that our team uses at the end of every day.
The token only needs to be requested once since it has a +-30 minute timeout.
Since I work with Salesforce API, the user has to enter his/her password either way since it relates the ticket to their account.
The API oAuth2 tokens and all of its sensitive components need to be secured.
I use PowerShell & a module called FileCryptograhy to produce an AES version of my config.json.
In my config file, I store all the component keys that need to be used to generate the token itself.
Steps
Base64 encode strings
Use FileCyptography module to encrypt the JSON file with a secret key into an AES file.
When API needs to produce a token, it works in reverse to get all the data.
Is this a valid way of securing sensitive API data, or is there a more efficient way?
P.S: I understand that nothing is very secure and can be reverse engineered, I just need something that will keep at least 90% of people away from this data.

JSON Web Tokens in Node Js Express application

So I have an API using Express in NodeJS and I want to secure it so only I or known clients can use it. I found about JSON Web Tokens but not sure how to keep the key secure if I'm making AJAX requests to the API from a web client using JQuery for example. People will be able to get the key and make request themselves right?
How do I prevent this? Or have I misunderstood the concept of JSON Web Tokens.
Other smaller question, I found the jsonwebtoken npm package which seems popular and you can sign a web token and verify one. How does the verification work? I know you pass a secret but the same secret is used for multiple signed keys right? I originaly thought I store the key in a database or something and verify if the provided key in the request is in my database but that does not seem to be the case as the you do not store the key.

Secure iOS to online database connection

I have an iPhone application that needs to collect data from an online MySQL database. I've written a PHP web service so I collect the data with JSON. The problem is that everyone can see the data if they go to the URL now. How do i secure the data transfer properly?
Thanks for your suggestions.
Typically, if you are showing data private to a particular user, then each user will generally have an account (user id and password). The app will pass the user's credentials to the server before the server will provide the user's data.
You can also do something similar using SSO integration, or OAuth (ala Facebook).
In some cases, your app may only pass the username/password on the initial call and receive a session ID, which the app passes on remaining calls. This allows the server to store session data.
Even if the data isn't private to a particular user, you can use accounts to restrict access and privileges for a publicly reachable web API.
In all of the above cases encryption such as SSL (HTTPS) must be used to protect the authentication mechanisms and data transfer.
I'm assuming your data is public for all users of your app, in other words, you don't want to implement a login mechanism for your users. If you just want to make sure you return the data only to users of your app and not to anyone who happens to enter the right URL in their browser, you will need to sign your requests, so that only requests from your app are accepted by your server.
I use a secret key that my app uses to create a hash/digest of the request which the server verifies (it knows the secret key as well). Also I make sure requests cannot be replayed if they are intercepted by adding a timestamp and a nonce. The timestamp is checked to be within 10 minutes of the server's timestamp (relaxed sync) and the nonce must be unique (server keeps the last 10 minutes of nonces). This way no-one can copy the same request, the server will just serve an error if they try.
This post explains how to sign your requests in a bit more detail:
http://www.naildrivin5.com/blog/2008/04/21/rest-security-signing-requests-with-secret-key-but-does-it-work.html

html5 localstorage accessiblity

In html5 if I create an new local storage key called mykey from a website www.a.com, will I be able to access mykey from another site, say www.b.com ?
Can any website access the key/value pairs created by other website? Please explain in detail. Even links will do fine.
I created two jsp files both of them using the same local storage and deployed them in jboss as different files. Now both the domains i.e localhost:8080/store1/local_storage.jsp and localhost:8080/store2/local_storage1.jsp are able to access the same key/value pair. How is that possible?
No.
Just like cookies are these objects only accessible from the domain that created them, for security reasons.
If you want to pass data from one domain to another I can recommend a form that posts to another site or put the data in a query string :)

Flash Security help needed

I am developing a player and i want to make it for only one domain usage for one download. If user needs again then again hew needs to download another version from my site. How can i make it. Please some one tell me
You have to create a key. a fancy hash of their domain name would do the trick, when a user downloads your app - they enter the domain name and receive a key. OR you can add it to your own databse and ensure your application checks the key everytime the player is run. That way you can see where the app is running from.
If they try to use the player on a domain that is not in your database, or the key does not work - the application can be killed.
So: domain name hash (maybe md5 twice), this is given to the user to add to a config OR you save it and the player talks to your server.