I am fetching Gmail inbox to the web application by using Gmail API. I am using RestAPI to connect with the web application. Everything is working and ready to go live. But the app is rejected by Google and asks for a Security assessment which has around $75K expenses.
As we are only reading messages through API and users are also already permitted to perform the same activity.
My question is, How to avoid Security assessment as we are using restricted and sensitive scope like GMAIL API & PubSub. But without these scopes, we can't fetch the messages.
How to avoid Security assessment? Is there any other way to achieve this requirement?
Looking forward to the community help. It's a major blocker for us to go live.
Thanks in advance.
If you need to use a sensitive or restricted scope, and you are not exempt from verification.
There is no work around to the security assessment.
info from docs.
sensitive-scopes
Apps that request sensitive scopes must verify that they follow Google’s API Services User Data Policy and will not have to undergo an independent, third-party security assessment. This sensitive scopes verification process typically takes 3-5 business days to complete.
Option: don't request a sensitive scope.
https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
restricted-scopes
Apps that request restricted scopes must also verify that they follow Google’s API Services User Data Policy, but they must also meet the Additional Requirements for Specific Scopes. One of these additional requirements is an independent, third-party security assessment. For this reason, this restricted scopes verification process can potentially take several weeks to complete.
Option: Dont request a restricted scope.
https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
Exceptions to verification requirements
Could your app be exempt from the verification requirements.
Related
I read the really interesting articles:
http://stytex.de/blog/2016/03/25/jhipster3-microservice-tutorial/
http://stytex.de/blog/2016/09/15/jhipster-3-dot-7-secure-service-communication/
My question is: how can I implement secure service-to-service communication in an application generated using JWT?
I suppose AuthorizedFeignClient annotation is only available for applications generated using OAuth2.
Thanks, Mic
It depends on how strict you see "service-to-service" communication.
Case 1: "authenticated" is enough or you want to forward the user's permissions (authorities, roles...) to the next service
Then you can use #AuthorizedUserFeignClient to enable token forwarding. Here the first microservice act as the user when making requests to the second microservice.
Case 2: request microservice should have different permissions than the user
In certain situations, you want to have different access control rules, when a request is done by a microservice, not user.
This problem is not trivial and one of the core use cases for the OAuth2 way of microservice security.
I am working on a micro-service architecture using Spring Boot. We have implemented OAuth2 in a Auth Server.
My question is - If two microservices want to communicate what should be the best way?
As of now, I have discovered below options:
If each microservice is verifying the token then we can pass the same token. But the problem is - in between same token can be expired.
If we use client_credentials grant then there we are having two issues: one is, we need to send the username in next microservice. Another one is, we need to request two times - first for getting the access token, next for actual call.
If we do the token verification in API gateway only (not in microservices) then from the API gateway we need to send the username in every microservices. And microservices implementation needs to be changed to accept that param/header.
Please suggest which option should I pick and if there is any better option please let me know.
Thanks in advance.
Not an expert either, but
If we do the token verification in API gateway only (not in microservices) then from the API gateway we need to send the username in every microservices. And microservices implementation needs to be changed to accept that param/header.
could be changed this way:
You make authentication/authorisation the problem of the gateway.
When gateway authorizes the client, it attaches JWT token to every microservice request its going to make on behalf of the client (instead of sending username). JWT will contain all information that microservices might need. If the microservice will need to call other microservice, it will need to pass that token further with the request.
So the idea is - for EVERY request that comes through the gateway, a NEW JWT is being attached to the request. Then you don't have expiry problem and tokens are easy to verify.
I am not an expert on OAuth, but I have done a fair bit of work with microservices. When working with microservices, it is often a good idea to separate your services in such a way that:
They each know as little as possible about the concepts/concerns that they delegate to other services
Their dependency graph is acyclic, whether the services are microservices or part of a well-designed monolith
Take an example of Accounts and Orders. You could have the Accounts service know about users, authentication and authorization, sessions, and contact information. If a user wants to view an order, the accounts service could take all requests, ensure that the user is authorized to do so and then request the order directly from the Orders Service.
The downsides to this approach are:
The Accounts Service must pass all orders data through to the user client, which may result in code duplication and complexity
Changes to the Orders Service API may require changes to the Accounts Service to pass through new data
Upsides are:
The Accounts Service can authenticate with the Orders Service directly using a service-level authentication mechanism like an api token
The Orders Service may live on a private network
Another approach might be to have a third service responsible for identity. The client would make requests directly to the Accounts Service and Orders Service, which would each then ask a third service, let's call it an Identity Service, if a session is valid. If not, it would forward the user to authenticate (sign on) with the Identity Service. Then on each request from the client to the Accounts Service or Orders service, these services would check with the identity service if the session is still valid.
Advantages to this approach are:
The Accounts and Orders Services do not need to know about usernames and passwords
Each service simply provides the data it is responsible for directly to the client
Downsides are:
This architecture is a bit more difficult to set up
A third approach is to implement either of these approaches into a single service. In the case of accounts and orders, I might make an argument that they are very closely related and that splitting them out into separate services may not improve your architecture.
As I said, I am certainly not an expert in OAuth, but I have worked a fair bit with services and microservices.
I'm going to develop a Banking application that will send and receive information to mobile devices of bank account holder. I want to use REST api of Spring framework for this purpose. Is there any bank that uses RESTful api for applications?
Does RESTful api provide enough security for this purpose?
Or should I stick to use SOAP web service?
I know, this question is asked several times. But I want to concentrate on feasibility of REST api for Banking domain.
Most banks still use SOAP for integration, but you could find examples of companies like Visa or Paypal which expose their api in a RESTful way.
There is a key difference between using SOAP with WS-Security and a REST api with SSL, thats WS-Security which offers end-to-end security (offers confidentiality and integrity protection from the source of the message to the receiver).
What we are dealing here is security at two different levels: HTTPS applies at the transport layer (which you could apply to REST or SOAP service) and WS-Security applies at the application layer.
But now you could deal with REST using OAuth2, check on how Paypal uses it here.
Another question related: Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better?
Yes, it is as secure (or insecure) as any other method including SOAP. You still have to follow all best practices while writing your application (using https everywhere, encrypting sensitive data, making sure you don't write sensitive data to logs in plain text, and so on). It is best to discuss with the Security team for your bank/company, they'll usually have a set of requirements that you need to follow to secure your application.
From security perspective REST over HTTPS is good enough unless you need end-to-end security or you have compliance limitations.
If your banking mobile application will communicate through any intermediates (this could be NFC, Bluetooth Low Energy enabled POS e.g.) then I would recommend considering end-to-end security depending on risks and sensitivity of the information you are planning to send. Unfortunately there is no end-to-end security mechanism I can recommend for banking app except WS-Security. I had a look at many solutions like JSON Web Encryption (JWE), Javascript Object Signing and Encryption (JOSE), OAuth 1.0 Signature and others. I've found no solution which provides end-to-end security with respect to Integrity, Confidentiality, Authenticity for RESTful web-services out-of-the-box. The reason is that RESTful web-services are assumed to work always over HTTP and thus they will be protected with HTTPS. So if you need end-to-end security it's a good point to think about SOAP and WS-Security.
Another reason to think on WS-Security could be compliance regulations like PCI DSS. Then you can reduce compliance scope with end-to-end encryption of cardholder data. Good example is what Netflix guys did https://youtu.be/sYFDnGjNVrk. So investigate your compliance regulation if you have such before making a decision.
More of a question of understanding rather than looking for a technical solution. I'm on a team working to build an iOS application that needs database support. We're using Swift for the application code. A Django REST API wraps a MySQL database on the backend. The two are communicating over HTTP using Swift's NSURLSession class.
We will be passing password information over one of the http requests, and so we want to up the requests to HTTPS. On the API side we can force traffic through SSL middleware using django-ssilfy.
My concern is that including this library does nothing on the client-side. As far as I know we will only need to change the url to include 'https://' rather than 'http://'. It seems that the data passed will only be secure once it reaches the API, rather than over the entire connection.
Is there anything we must do to secure the data being passed over the NSURLSession on Wi-Fi and mobile networks? Or is simply pointing the session at an API view that is throttled through a SSL port enough to ensure the request is secure?
Please let me know if I am way off track or if there is any steps other than django-ssilfy that I should take in order to make all http communication secure!
Go SO!
This question is more about whether or not SSL is secure, and less about if any of the tools that are being used make it less secure.
Luckily the Information Security Stack Exchange has your answer with an in-depth explanation as to how TLS does help secure your application.
When it comes to securing your Django site though, django-sslify is a good start, but it's not the magic cure to security issues. If you can, it's recommended to not serve insecure responses, which works well for API hosts (api.github.com is one example), but not if your API is hosted on the same domain as your front-end application. There are other Django apps available that are recommended, such as djang-secure (parts of which were integrated into Django 1.8).
You should also follow the Django security recommendations, and revisit them with new major releases. There are other resources you can look at, like "Is Django's built-in security enough" and many other questions on the Information Security Stack Exchange.
We're building a set of external web services to be consumed client-side (using jquery/AJAX) by visitors to our site. The web services need to be publicly available but we'd like to limit access to site visitors.
Importantly, the site in question sits behind a CDN and we cache page content for 24 hours; AJAX requests would preferably be cached as well but I'm conscious doing so will limit our authentication options. Our visitors access the site and services anonymously.
What are some standard "patterns" for authenticating client requests? I'm not dealing with confidential data per-se but do want to deter other users/sites from hijacking these services for liability (think data distribution) and performance reasons.
I'm thinking of a shared secret that's refreshed daily and used site-wide by all clients; any web service request would include the secret. Pretty basic but are there other, better ways for the service to detect the caller's origin in a manner that can't be spoofed?
If the threat to your web service is related to someone automating the client calls, you can implement rate limiting on server side. As you rightly mentioned, client can be required to provide key for each request. Alternatively, if only mortals are going to interact with web service, you can also implement Human Interaction Proof like Captcha etc. One thing to make sure is that "key" which will be used by client needs to given in controlled manner. I once came across a system which basically gave away unlimited keys - this means that automation control will be ineffective as an attacker can request as many keys and make unlimited calls. If you are limiting using IP address, make sure that you throttle requests on network part of ip address (A.B.C.X) as host part (X) can change (when users are behind proxies) If your clients are anonymous, the best/closest "identifier" is indeed address.