covenantproject / cov-pat-mobileapp

Covenant - Mobile App for Patients
https://covn.org
Apache License 2.0
4 stars 4 forks source link

Mobile app uses a single app key instead of a user-specific key #18

Open sencode opened 4 years ago

sencode commented 4 years ago

Mobile app currently uses a single mobile app key (a hash) for all installations/users of the mobile app. The mobile app sends the current user's user id in all the API calls. This is a security issue because a bad actor can send in the user id of other users and query the private information of other patients.

Proposed solution:

  1. Have the server generate a unique hash for the mobile user after the user successfully completes OTP validation. This hash will be stored in the database.

  2. Server will send this hash as a response after successful OTP validation.

  3. Mobile app will store this hash in its local encrypted storage, and then submit it with all subsequent API calls.

  4. Server will validate this hash for the corresponding phone number before responding to requests.

retep1025 commented 4 years ago

mobile are to attach all request with post parameter "phoneInfo"={phonehash} "phoneNum"={device phoneNum}