2

I'm implementing a Whatsapp Web-like feature for my Android application. User should be able to open an HTTPS web application that displays a QR code (a GUID generated by the server) and scan it using her device sending it back to the server. Above all this ASP.NET Core SignalR server keeps track of these connections by associating that GUID with the two clients (browser and Android device). At that point bidirectional communication between the two clients with the server acting as a "forwarder" is possible (using WebSockets).

Some facts:

  • Android application is unauthenticated, the only way I have to identificate univocally a user is Firebase anonymous authentication
  • transferred data is anonymous and by no mean sensitive
  • I want to give the best possibile security to my users with this setup
  • I'm no security expert :(

My question is: so you see any concern from the security point of view? What could I do to improve it?

Alessandro
  • 121
  • 1
  • 1
    You could improve the security of this a bit by making it mutual authentication. Have the phone app send some secondary code with the QR code data, and make the user verify it in the web application before they associate. That way shoulder surfers can't hijack the authentication phase as easily. – Austin Hemmelgarn Feb 08 '19 at 20:26
  • I had the same idea before reading your comment, so that makes me a little bit more confident! :-D I thought about adding a 4 or 5 digit PIN on the mobile side? is it enough based on your opinion? Thank you so much!! – Alessandro Feb 11 '19 at 08:14

0 Answers0