4

I am writing a master thesis concerning security of certain applications, and as a part of it I want to write a web app on Google App Engine and test how secure it is.

Does anyone know if there was any study done on the security of GAE in comparison to other servers for web apps?

What would you say are the most likely weak chains in creating a web app on GAE an handling users' valuable information? For example, is the web app only as secure as the web admin's password, or can there be some other security measures in place to prevent even the admins from accessing users' information stored with the app?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
ThePiachu
  • 365
  • 3
  • 8
  • Welcome to IT Security, @ThePiachu! Some feedback: These are several separate questions. I encourage you to post them separately: I think you might get better responses. The usual advice is "one question per question". – D.W. Sep 27 '11 at 04:06
  • Hello and thank you. I figured I`d post them together since they are all based around the same issue. – ThePiachu Sep 27 '11 at 14:08

3 Answers3

4

Those are very general questions, so I can only give a general answer. Security can be evaluated in the context of a concrete threat model.

Does anyone know if there was any study done on the security of GAE in comparison to other servers for web apps?

http://scholar.google.com is a good source of scientific papers.

What would you say are the most likely weak chains in creating a web app on GAE an handling users' valuable information?

The typical weak link of self written web applications are query injection, Cross Site Scripting and Cross Site Request Forgery.

Google does support a secure authentication service which can be used by app engine programs, which prevents many common mistakes.

For example, is the web app only as secure as the web admin's password

Yes, like a chain, the weakest link defines the overall security.

Or can there be some other security measures in place to prevent even the admins from accessing users' information stored with the app?

Since client side encryption is not feasible for web applications that are targeted at ordinary users, there is no way to protect against malicious manipulations of the web application done by the admin.

Furthermore it means that any information you store is accessible by Google, since they have both access to the data store and the application code (which might have hidden encryption keys).

Especially the last point is a huge issue, if European privacy laws apply to you. Google was forced to admit that they handover information stored in Europe about European citizens if asked by the US. The problem is that this illegal activity (see green box) by Google might cause legal trouble for the person or company using Google Services to host customer data. It is the responsibility of the company collecting data to ensure that contracted service providers comply with European law. (I am not a lawyer, so this paragraph is only as far as I understand it).

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
3

Does anyone know if there was any study done on the security of GAE in comparison to other servers for web apps?

This question is too broad to answer. Or, rather, the answer is "It depends". GAE leaves it up to the developer what web programming framework they want to use. The security is going to be heavily dependent upon what framework the developer chooses, what programming practices are used, and so on.

Generally speaking, one potential advantage of "platform as a service" is that it means you don't need to act as the sysadmin for the web server farm. Instead, you outsource that to Google, who are good at it. That's one way that GAE is probably safer than running your own web servers.

can there be some other security measures in place to prevent even the admins from accessing users' information stored with the app?

With GAE as it stands today, if the developer of the GAE app is malicious, there is no way to prevent them from seeing all of the user's data. (Even if you thought you had a technical mechanism to prevent this, how would the user know whether that mechanism had been applied? They couldn't.)

Therefore, users should only share confidential data with a GAE app if they trust the developer/owner of that app. This is pretty much the same advice as I would make about any other web service: users should only share confidential data with a web service if they trust the developer/owner of that web service.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • As for malicious activity, the scenario would be more of the following: the developer is not malicious, but he wants to make sure that is another malicious entity gains the control of the system the amount of damage they can do is smaller than without the countermeasures. – ThePiachu Sep 27 '11 at 14:03
  • @ThePiachu, one great strategy is to avoid or minimize collecting confidential data (so that in the event of a security breach, no personally identifiable data is leaked). Nothing can prevent an attacker who controls your web server from collecting new information from that point forward. This advice is the same as for a regular web service; not much changes with GAE. – D.W. Sep 27 '11 at 15:47
  • The core functionality of the system is to store confidential data. Of course with long access to the system there is little anyone can do to prevent data loss. I wanted to consider a scenario where the malicious party would have access to the system only for limited time, say enough to download the whole database before the system is shut down. – ThePiachu Sep 27 '11 at 16:18
0

Few months back I did some self-experimentation over the Authorization & Authentication provide over GAE for its content using the Google Account based Access Control List.

And noted down the cases in which all practices work & scenarios (of static content) where-in only a single mechanism works because of the way it's made accessible from Google Servers.

The detailed study of experimentations is at http://hackersmag.blogspot.com/2011/06/user-authentication-authorization-at.html

~~~~~

And, from what I know and have explored over GAE..... it's as secure as the owner's Google Account Credentials. So, GAE users might want to go 2-Factor Authentication.

AbhishekKr
  • 563
  • 3
  • 4