3

I'm registering the devices of my app users with a third-party push notification service.

I need to associate each device with its user at the service so that I can target a specific user's devices when sending a notification.

I could associate the device with the user's database Id, but I'm inclined to use a special GUID identifier in order to hide the user's database key.

I reckon the database key could leak information about the system, including a hint as to the number of users of the system.

Does this sound unnecessary?

Ian Warburton
  • 1,147
  • 1
  • 10
  • 16
  • 1
    https://stackoverflow.com/questions/396164/exposing-database-ids-security-risk. note - your point about number of users is mentioned in one of the answers. – potatopeelings Dec 07 '17 at 23:46
  • 1
    Also https://security.stackexchange.com/questions/116272/is-there-any-concern-regarding-a-database-primary-key-exposure?noredirect=1&lq=1 - I don't want to mark this as a duplicate of that because this is to a third party service. – potatopeelings Dec 08 '17 at 00:01
  • it makes sense to mask the primary key to your system, it goes a long way to mitigate insecure direct object reference vulnerabilities if your PK is an int. – iainpb Dec 08 '17 at 12:07
  • Couldn't you have a reference vulnerability using a masked key too? – Ian Warburton Dec 08 '17 at 13:24

0 Answers0