PDA

View Full Version : Best ST Security Guide or Practices?



planewryter
29 May 2011, 11:36 AM
Fellow STers,

Based on your experience, what is the best published guide regarding designing and developing secure Sencha Touch applications?

Or, does anyone have "Good, or Best" Practices they'd share?

Like many on this Forum, I'm working on an ST-centric app (with a PHP backend) that has distinct security implications & needs (e.g., secure login; encrypted two-way data-exchange; encrypted data-storage; protected PHP endpoints)...seems that many of us would benefit from using well-proven security practices.

Many thanks in advance for your assistance!

Best regards,
Plane Wryter

realkevinroth
29 May 2011, 5:17 PM
Using SSL is always a good idea. You really want to use some sore of encryption scheme to prevent man-in-the-middle attacks. SSL is an easy first step, and one that many web developers will already be comfortable using.

As far as storing sensitive info client side, I'd recommend not doing it. Keep all the secure stuff server side, and just pass SSL encrypted json when necessary. Client side storage will always be insecure.

As far as server side recommendations go (in your case the php scripting), you want to program defensively, and work to prevent XSS (cross site scripting) attacks. The bulk of your security should be server side. You can obscure and minify your code, and prevent some people from figuring out how it works, but client side script by nature is insecure.

siebmanb
10 Jan 2012, 2:31 AM
But then how do you avoid asking constantly your user to log in ? From what you say, I guess you have no choice, do you ?