ibm-mobilefirstworklight-adaptersworklight-studioworklight-security

Is Worklight giving secure mechanism for handling request and response Parameters?


Am using IBM Worklight Studio 6.1.0.02-20160314-1430

Its Hybrid application.

Request and Response data between app and adapter calls is clearly getting visible when do inspect(Network-->query) in an application. Its also possible to edit request or response parameters by interrupting worklight app using third party tool like Charles. Implemented SSL pinning in the application but some how SSL pinning also breakable as lot of tools already available in online. Is Worklight giving any encrypt-decrypt mechanism for request and response parameters which is communicating between adapter and app.

Currently I tried adding custom encryption from app side and custom decryption at adapter side for request parameters. This is very tedious process as my app having hundreds of procedures. Please let me know any centralized security I can implement so that request and response should not be visible anywhere between app and worklight server even if someone inspect also.


Solution

  • When you redirect your traffic through a proxy such as Charles , it is expected to see communication in plain text. In this scenario you configure the setup by accepting certificates issued by Charles and modify your application to direct communication via Charles. You will not see your data in plain text if you try to sniff an on-going SSL traffic.

    That said, certificate pinning feature is available out of the box starting MFP 7.1 onwards. Certificate pinning is done before making any calls to the server and as such all your communication can be secured. You already seem to have adopted the other approach of encrypting parameters at the client and decrypting later at the server. In case you have many adapter invocations, you can have a single method that produces encrypted content and all your adapter invoke parameters can be passed through this.