2

So, some background. I am currently working on a social media app for Android. We are programming it in Java, and are using OKHTTP3 for a connection to the PHP backend, which will handle updating MySQL Database and storage.

My question is this: How should I handle passwords? Once the user enters their credentials into the login form, do I hash the password (we plan on using bcrypt) and then send them over the PHP backend for immediate storage? Or does the PHP Backend need to do more security hashing or encryption?

The way I think it will be done right now is this: 1. User enters credentials for signup 2. Password is hashed 3. Credentials are sent to the server 4. Credentials are entered into MySQL - What should be done differently? Is this fine?

Reading making an iPhone/Android app which sends a user password to my server, how to secure? didn't answer my question well enough.

Community
  • 1
Bobdabiulder
  • 121
  • 1
  • 7
  • Sounds pretty solid. One thing I would recommend is sterilizing any data that is passed to the PHP form to prevent XSS, command injection, etc. – Verbal Kint Aug 24 '16 at 15:56
  • Good, thanks @VerbalKint. How do I sterilize the data? Isn't that just making sure it's not accidentally run as code by MySQL/PHP? – Bobdabiulder Aug 24 '16 at 15:58
  • 2
    You should not be hashing the password client side. – multithr3at3d Aug 25 '16 at 01:58
  • @korockinout13 Notice how I said hash BEFORE send the credentials to the server... – Bobdabiulder Aug 26 '16 at 03:44
  • 2
    @Bobdabiulder in other words, on the client side. – multithr3at3d Aug 26 '16 at 22:21
  • Then where should I hash? – Bobdabiulder Sep 03 '16 at 23:11
  • @GeorgeBailey if that's insecure, would you rather I send plaintext passwords to the server? Obviously you're right about how my idea is flawed, but what would secure the password as its being sent to the server? – Bobdabiulder Sep 23 '16 at 17:21
  • @Bobdabiulder https://en.wikipedia.org/wiki/Pass_the_hash This specifically refers to the case in windows but it should apply elsewhere. Essentially, by hashing clientside and then using the resultant string to authenticate, you remove the purpose of the hash. The hash is to make the password unknown to someone reading the data out of a table. The value in the table in your scenario can directly be used to authenticate the user to the server. – d0nut Sep 23 '16 at 18:42
  • 1
    @Bobdabiulder "but what would secure the password as its being sent to the server?" Generally, we use a little known technology called TLS/SSL. Make sure that the connection to your server is over HTTPS and it should be fine. Don't do a GET request with the password in the URL though since the value can show up in logs on some webservers. – d0nut Sep 23 '16 at 18:43
  • @Bobdabiulder, If you have any other questions about my answer, please comment on my answer instead of your question. :-) – 700 Software Sep 23 '16 at 19:05
  • I was going to but it won't let me on the app, probably rep related, sorry @GeorgeBailey – Bobdabiulder Sep 23 '16 at 19:10
  • 1
    *"would you rather I send plaintext passwords to the server?"* Yes, so long as you are using an encrypted connection. HTTPS is a good way to achieve TLS/SSL (encryption w/ MITM protection) as @iismathwizard suggests. – 700 Software Sep 23 '16 at 19:33
  • *"won't let me on the app"* If that's true, it is a bug, which you can report on [Meta Stack Exchange](http://meta.stackexchange.com). – 700 Software Sep 23 '16 at 19:34
  • Are you sure it's not my low rep?? – Bobdabiulder Sep 23 '16 at 21:09
  • I'm fairly sure you can't comment without 25 rep actually. So yes, I think it's your rep. – d0nut Sep 23 '16 at 22:49
  • Exactly lol not a bug – Bobdabiulder Sep 23 '16 at 23:25

2 Answers2

2

You mis-understand the purpose of a hash.

A cryptographically secure hash is a one-way function, so that the original text (the password) cannot be determined except by brute force.

In your example, it is not necessary to find the original text. If the attacker steals the hash, then they can still sign in without knowing the original password, just by altering a copy of the app to use the stolen hash instead of generating a new one.

Your server should do the hashing internally, not the app. (client-side)

For passwords, you have to use a Slow Hash such as BCrypt, with a high work factor. This should take ~100ms on your target hardware (with appropriate DoS protection), knowing that an attacker's brute-forcing hardware will be much faster.

Keep in mind that weak passwords cannot be secured, no matter how slow your hash function is.

Also be sure that you use an HTTPS connection between the app and the server, as mobile users may use shared WiFi which could easily be used to spoof plain HTTP connections.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 1
    Perfect answer. Might be worth linking to: https://en.wikipedia.org/wiki/Pass_the_hash . This wikipedia page is specifically about how this attack works on windows with NTLM hashes but the principle is still the same. – d0nut Sep 23 '16 at 18:45
-2

You can do the usually regex check of input to be sent to the server. Use a https connection to send your credential. Maybe retrofit instead okhttp3? (only for simplicity not for security reason). That is a good base to start IMHO. If you need to store information on android you can use Realm. It's a mobile database that support encryption and it is a simple solution to store information on the device. If you need to store only the password i would suggest to use the "Keystore" feature of android system.

wolfy
  • 1
  • Thanks. Is retrofit a library? Yes, I agree on the HTTPS part, that wasn't my decision to use OKHTTP3. I think I'll go token-based for already logged in users. – Bobdabiulder Aug 24 '16 at 16:10
  • Retrofit is another library from square company that can use okhttp library to intercept calls (so you can easily setup the token auth as you said). It is better than okttp when you need to map json object directly into java object because it does this operation automatically. You can find easily examples that explain better this feature. Here the link [Retrofit](http://square.github.io/retrofit/). EDIT: Good example [here](https://guides.codepath.com/android/Consuming-APIs-with-Retrofit) – wolfy Aug 25 '16 at 09:19
  • 1
    This does not answer the question. The OP is asking about the order of events regarding when to Hash, Transmit and Store the password on the server. (stored on server, not Android, so does not have that particular Keystore system) – 700 Software Sep 23 '16 at 17:04