+ 7

How to encrypt my API response? End to End encryption between Android/IOS and PHP?

I am creating this API that will respond to a request with a JSON file... But I'm afraid that a hacker with a tool like Wireshark can sniff my network and see the plain text JSON data, that is supposed to be private cause it contains personal information... So how do i encrypt that JSON data so that a sniffer will find encrypted text instead of plain text when relying a call from an android/IOS? Is there something i can do or does the HTTPS service encrypt it with the SSL certificate? I tried Googling this, i got nothing... 😭

3rd Nov 2018, 8:14 AM
David Ajaba
David Ajaba - avatar
12 Answers
+ 5
When I learned SSL I installed Nginx, put a website on it, added a cert the "normal" way...a tutorial. * Tutorials abound for getting this far, including a dozen or more places to get free SSL for life (I had a purchased cert, I've also used Comodo's free certs). *** THEN!... *** I hit this site repeatedly--reading reports + site help + Google for bad ratings--until I was a couple points shy of the highest rating possible (A++ with sprinkles or something): * https://www.ssllabs.com/ssltest/ Sites like this are nice for passing tests, but the point really is...use it to learn SSL (really, getting to A+ without copy-pasting means you're starting to get it), because there's a lot of legwork you have to have done already just to keep a discussion about this reasonably short. Or...pay someone to do this for you, because it really is a bit of work and (xp from pentesting here) it's easy to miss things.
4th Nov 2018, 3:06 AM
Kirk Schafer
Kirk Schafer - avatar
+ 5
Using Authentication header in http requests with its value as base64 encoded text of hmac of request details might help, Authentication : base64encode( hmac("sha256", "secret", "your request details here") ) Here's a good read on this, https://blog.restcase.com/restful-api-authentication-basics/
4th Nov 2018, 11:04 AM
Morpheus
Morpheus - avatar
+ 3
But isn't there a way, or a tutorial i can look at to learn this? Cause I'm being paid to do this...
4th Nov 2018, 9:18 AM
David Ajaba
David Ajaba - avatar
+ 3
But isn't there a way, or a tutorial i can look at to learn this? Cause I'm being paid to do this... Is there any encryption mechanism that i can use to encrypt the data on php, and send it across to the android, so that even if someone sniffs the network, they'll see only Cipher text in a string format? Then I decrypt the data on android on IOS or Android...
4th Nov 2018, 9:18 AM
David Ajaba
David Ajaba - avatar
+ 3
Morpheus thank you very much... You're a life saver... 🙌
4th Nov 2018, 7:07 PM
David Ajaba
David Ajaba - avatar
+ 3
(nods at link, nice read) Question (reading that may answer below): How does the secret come into existence (get shared), persist, get updated? * You wish to read this thread: https://security.stackexchange.com/questions/20129/how-and-when-do-i-use-hmac * Note this comment: "...His API requires HMAC signing of all api calls with the users Private API Key [it's the "secret", which includes the public key in the hash]...[make sure you know how to use [HMAC]...because I paid the price in the form of a devastating API hack...]" * Some HMAC tips, including keypair generation hints so you can disable API instances: https://www.wolfe.id.au/2012/10/20/what-is-hmac-authentication-and-why-is-it-useful Note, there are HMAC generator/testers online (I got different results on them / ran out of time to check so just FYI)
5th Nov 2018, 1:53 AM
Kirk Schafer
Kirk Schafer - avatar
+ 3
Incidentally, I just skipped through a familiar PHP vulnerability (and common wargame challenge) that bypasses an HMAC implementation due to how PHP handles variable types...and in the video the "secret" and "data" fields may be reversed. Checking the article and PHP documentation there may be a discrepancy, just read carefully. From the direction of "learning secure coding by evaluating an implementation error", the video title is "Let's play a game: what is the deadly bug here?"
6th Nov 2018, 1:52 AM
Kirk Schafer
Kirk Schafer - avatar
+ 2
N00B The complexity of your challenge kindof emphasizes my point...that there's a lot to know about SSL--to do it right. Normally I'd happily iterate through the config (because it's all self-improvement) but I'm unfortunately distracted; it's not personal, just stuck in some annoying maths. For what it's worth, I really try very hard to not make false claims. Verifying if HSTS is enough may be a "topic for further / ongoing research" if someone is serious about this field.
5th Nov 2018, 9:58 PM
Kirk Schafer
Kirk Schafer - avatar
+ 1
Kirk Schafer Yes of course, everything can be "hacked". But tell me more. What do you mean by "bypass"? How do you want to bypass TLSv1.2 with RSA 2048 and AES 128 GCM SHA 256 with HSTS?
5th Nov 2018, 5:50 PM
N00B
0
SSL is already encrypting your traffic. What do you want more? It is as secure as it can get. Unless your are using low security like sha1 and 2048 bit keys and 128 bit encryption.
5th Nov 2018, 1:19 AM
N00B
0
N00B When not fully understood by implementors, SSL can be bypassed (I do this all the time). Major sites tend to do a good job; others...not so much.
5th Nov 2018, 5:28 PM
Kirk Schafer
Kirk Schafer - avatar
0
It's possible to encrypt the traffic from your API to your app. But it can always be decrypted and your response is always readable.
25th Jul 2019, 4:22 PM
N00B