-1

I have a mobile application which relies on a Windows Azure Mobile Services Back-end. I want to tie down some security vulnerabilities. For example, someone can currently access all my records, modify or delete them. Not Ideal...

I have the option of restricting certain activities to authenticated users only. However, I think that means anyone with a facebook account can log in and have the same privileges as above? Also, I would rather not require users to log in.

I only want users to be able to access their own records (data privacy) and I want to ensure that only my application can POST data to the server, i.e. an unofficial potentially corrupted app shouldn't be able to POST data and corrupt my database. Maybe some sort of TLS etc. approach might do this? This restriction (if possible) would likely allow me to implement the above logic in the mobile software logic?

What are some common approaches to these issues and how might I approach them specifically with Azure Mobile Services. Specific approach recommendations and Azure feature references would be ideal.

George Edwards
  • 99

1 Answers1

0

The only feasible method for restricting records to specific users is to use authentication. You can use any of the built in identity providers (see https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-xamarin-ios-get-started-users/ for more information) or you can use a custom authentication scheme (see the sample at https://github.com/Azure/azure-mobile-apps-node/tree/master/samples/custom-authentication for how to do this).

After setting up authentication, you can restrict tables to only serve records that are associated with the authenticated user. Have a look at the sampke at https://github.com/Azure/azure-mobile-apps-node/tree/master/samples/personal-table for how to do this.

Anders
  • 64,406
  • 24
  • 178
  • 215
Dale Anderson
  • 101