#[SOLVED] Security Risk! (public project id)

the storage file url contains the project id and it looks like a security risk as in the client SDK all you need to initialise is project id.

can anyone help with this?

is there a way i can get a public url which does not contain any private ids

Project ID is public info

ok. but while initialising SDK all we need is the project id how do i secure my project then?

client = Client()
.setEndpoint("https://cloud.appwrite.io/v1")
.setProject("<project_id>")
.setSelfSigned(true)

this is the code to initialise SDK as you can see the only identifier is project id

That's public. How's it a risk?

just explained above.

Security Risk! (public project id)

Yes, you only need that to initialize the SDK.
That doesn't means anyone will be able to access everything if you have permissions set properly

In order to limit the access to an specific image, database element, etc. You use the appwrite permissions to limit the access to an user.

So if I have your ID, I will not be able to access your things if you have permissions set properly

the image viewing is public but upload is private

this is my permission!

Should be something like this.
Only you should be able to create, right?

yes. but lets say you have my project id and you initialise your SDK with my id and start uploading things you can easily eat up my capacity

That's right.
To prevent that, you should limit the upload file size and/or use appwrite functions to limit the amount of uploads

Anyways, I don't think it's possible to upload an unlimited number, probably it has rate limits

Let me check, one second

that may be true. but still there should be some mechanism where you can't access my project in the first place. something like a secret key or something.

Yes it's rate limited to 60 files per minute

If it's not done server side, anyone will be able to access or intercept the request. There's not any mechanism at all to prevent that from happening here or in similar platforms.
You can make it somewhat more difficult with some mechanisms like platform verification in the case of native apps, but it's still possible if you intercept the network or similar.

yes that is true. but still like all other services have a secret key to prevent abuse. there should be some verification that i am the owner of the project. at least some header fields with the unique user and if a user intercepts the key we can simply block that user.

That is what anonymous user is for.

Project ID is public knowledge, you have to provide that info in order to make requests

The attack vector you described is actually none

The secret key (if you're referring to Supabase, for example, they call it in a cool way such as anonKey), is not to prevent abuse at all, but practically the equivalent to Project ID here.

As you can see in their docs:
https://supabase.com/docs/guides/api/api-keys#the-anon-key
https://supabase.com/docs/reference/dart/initializing

The key will be available client side, meaning anyone who checks the client side code (inspect in web) will see it, so it's not a secret at all

like in S3 we have presigned url or temprary details.

Are you aware that the project id is sent regardless? If not specified in the query but also in the header

yes i saw that just now.

Just because there is a function to set the project id does not nessecarily translate to a security risk. You have to manage your ACL properly regardless what the project id is

i will be checking the ACL as well. i just needed a public url where all these ids are not present for anyone to just start experimenting

If you could describe a possible attack vector I could check whether it is an actual concern or not. So far from what you have described there isn't one

ok so lets say i want my files to be viewed publicly but only a signed in user can upload a file that too from my app only. how do i configure my project in that case?

You have already set it.

They uploading without being signed in

but in that setting how do i make sure that the process happened on my app and not on someone else's app

Well we have implemented it but it was done via functions. You can only do damage control to a certain degree

coz as far as i can understand someone else can initialise their SDK with my project id and perform upload operation regardless as they can do the login on their SDK as well

What you want to do is out of scope for this, because many security features like this can be circumvented anyway. All you can do is damage control

You can only allow the user to obtain sessions for example when the user passes device check whether it be from google or apple

You can implement HMAC validation in your function to check whether the request is authentic

got it. if i don't make these ids public at the very least i am making it hard to do these kind of simple attack.

Eh how are the users supposed to use the app then?

intercepting network should be harder then to just check the url and get the id. i don't know much about security but this looks obvious. don't you think?

They just need so debug tool. In the case of web, that's just right clicking and opening web dev tools

I do much about security and this ain't one

Not in the slightest

And you have a totally wrong view about the project id

have not done much web so don't know about it. but in ios i can make it a lot harder i think.

If appwrite wouldn't support multiple projects then there project ids wouldnt exist. You would just hit the /v1 endpoint

The outcome is the same

It is public knowledge

Anyone who is willing to reverse engineer your app, then the person is also certainly capable of intercepting your network as well

You can IOSSecuritySuite to at least make it somewhat harder, but usually you would implement multiple restrictions to improve your overall security.

You are giving the project id way too much credit

yes i completely agree with you on reverse engineering. but it is a lot more complicated to reverse engineer and then get runtime values. then to just get them from your url

Sincerely, I am always sceptical about security measures, etc, but in the case my approach would be leaving it as default appwrite config, and if I find someone abusing, then I would block it's IP and write a function to have that IP blocked permanently or block it in Cloudflare or similar.

How can you say it is more complicated when you just said above that you have barely any knowledge in that field.

i have knowledge in ios but no real security knowledge on web.

this is the last resort.

Anyone, really anyone who wants to do malicious activity is able to reverse engineer it. And it is a lot easier than you think. Intercepting the tracking is the easiest shit unless you have done some ssl pinning but that would only harden it for like some additional hours

Hmm latest resort?

(sorry, I'm not a native English speaker)

as i said i agree with your point on reverse engineering i am just comparing the 2 scenerio here.

like the last option.

You do you but to be honest you accomplish literally nothing with your approach

It is simply a false sense of security

If you want to provide at least some amount of security you could as I said implement this https://github.com/securing/IOSSecuritySuite

It makes it somewhat harder for anyone who wants to "attack" your app. If you are using cloudflare you could ban all requests to the "/v1/*" endpoint if they do not have a specific header. That way they have to intercept the network or reverse engineer your app as well. So at least they have to put them effort in

https://appwrite.io/docs/references/cloud/client-web/storage#createFile

Also, as you can see in the docs, the endpoint is rate limited, meaning that if you make more than 60 uploads in 1 minute, the user will be rate limited during an hour if I'm not wrong.

i do this in all my projects. thanks

A good method I see too is using apple device check:
https://developer.apple.com/documentation/devicecheck

i can see this in your SDK. can i set my custom header here?

Yes I have mentioned that above. Basically disable all auth and handle auth yourself. The device needs to do a device check in order to get a token to create a session

Yes

It's not strictly needed to handle all the Auth.
If I'm not wronf, a label can be assigned to the user when the verification check is completed and validated with an appwrite function

and how do i set my project to check for specified header?

If you want true security then you have to

Otherwise you could install the app on an authentic phone therefore passing the check and then install the device on the device which you use to reverse engineer it

You will need to run the function on each login and make it expire on every new session with functions

Oh wait, yes it's not that easy and will not work at all if not handled properly, as it's not that easy since you can have a fake phone, and then login with a real one 😅

Are you using cloudflare?

yes

You can use Cloudflare WAF to only allow request with a specific header like "X-App-ID" : "hguiwfuwin2jfo83ifn2oifnuwdw9ioe". Any other requests are blocked. You specify that header in the addHeader function as well.

It does add a little protection if you want to extend this kind of protection further you can make it dynamic so it changes every 3 minutes and then you create a function which will change that header on cloudflare as well

So any attacker has about 3min of time each time he has intercepted the token

In fact that's what I do in addition to my other checks. It adds multiple layers of security and the attacker won't know why his requests aren't successful

thank you this should work if i combine it with IOSSecuritySuite at least for my peace of mind. 😅

sorry for bothering you guys for so long.

You seemed to be concerned about security and that is fine but nothing is worse than a false sense of security.

Hiding project id is doing dog shit

That won't do anything for ya

i can change it dynamically so that even if attacker intercepts it. it will be valid for 3 min. right?

new in security. sorry!

If he has intercepted it he has at max 3min. of time to make a request

got it.

The thing is if someone is able to intercept the network he will continue to do so

correct. will have to do cat and mouse anyways that i understand

If someone fails to pass that check that IP will be shown on cloudflare and you would be notified

Basically they won't be able to make requests at all without knowing that specific header. That user is actually forced to reverse engineer your app or to intercept your traffic

He has to put actual effort in and that alone should guard against most script kiddies

will definitely do this. uptill now i used S3 and temprary creds did the job for me

I would also just ban most countries if you do not intend to serve them anyway. I would especially ban ASN from hosting providers.

Every defense can be defeated that's why you have to stack all those security features to make it annoying for them to even bother

Hiding the project id won't do shit because you have to store the project id somewhere to make requests in the first place

actually i am creating a completely anonymous social network. where there is no personal identifier so bannig countries won't work

"completley"?

to be honest i don't know whether that would be even legal or not. 😅

Anonymous in 2024 is far fetched

yes the posts are public but linked to their online persona and not their personal identifier. like reddit but reddit stores email and all that can be a identifier.

Anyone who downloads the app is able to use your service without logging in?

yes

i know that can be problematic in legal sense. but still checking if that can be done or not

I mean there exists app like that

any examples?

You have to understand that you are responsible for the content

There is a german app called Jodel. It is location based but you do not have to enter any credentials in order to post

yes. that is why was also exploring AI to identify harmful content

Works pretty nicely. I use Gemini 1.5 flash. They reduced the price heavily just last month and it is surprisingly good at content moderation

It is context aware so that is a huge plus

You simply can't just ban multiple variations of "fuck" that is simply not possible.

Or let's say "touchmylongstick"

It does not contain any bad words per se but we can confidently assume that it does not have a good meaning

Isn't that going to be like an app token? 😅

You could certainly consider it one

yes i thought that as well and even if i start banning such things then it wont be fun. i want to ban the more extreme stuff. which is not good for anyone.

Why not just setting a harder rate limit in CF?

Gemini is capable of that

Different attack vector

Wdym?

The response is actually just for debugging purposes. But that's how it would handle it internally if the user wants to update the profile iamge

That does not defend against what he wants to be defended against

yes this is exactly what i was thinking.

It works incredibly nice and i can do thousands of checks for a few cents

I understand the idea is to prevent third party apps uploading things, but from what I understand the real target if preventing someone from upload a huge amount of files and fill it up, right? @void minnow

He wants to prevent anyone but the original app to upload anything in the first place

Works nice for usernames as well

yes. just to make it extremely hard for explorers to do theses attacks.

for professionals i would have to do the cat and mouse game anyway.

If you get big you can get back to me and I will provide you an all in package 😜

could you provide me with the details to acheive this result?

no doubt.

https://github.com/google-gemini/generative-ai-swift
Google has actually a pretty good documentation regarding this

You can specify a schema that the model should use for its response

In my case you can see the model in the response

this is pretty simple. i thought it would be quite hard.

Just download and try it out. Gemini is really beginner friendly like it is really easy

Just tell them what the criterias are and it should be able to respond with the appropiate decision

I said in my case that the platform should be family friendly

thank you for this.

I don't understand the attack then.
Someone will not publish an app that uses your storage I think?

If you are one who wants to allow more freedom of speech even if it is somewhat controversial you can tell it gemini

Apps can be repackaged

i want only my app can upload file and no one else

There are multiple ways to hijack an app

He just wants to do some damage control.

Yes, but how will that affect negatively you? It will be like a fork of you app?

But why is that so concerning?

i thought IOSSecuritySuite has protections against that?

It does not totally negate that

It just makes it harder.

as only my user has that permission.

If someone distributes a copy of you app for iOS you can easily ban the copy...

That is not what he meant

yeah that i understand nothing can be 100%

If someone makes a copy to spam your app, you implement CF rate limits to prevent Spam

This is not what this is about

If you have snapchat then you would know. Snapchat is notorious for this. They want to prevent it at all cost that the user is able to upload images or videos from any other app than snapchat

Snapchat has a really good system in place to detect that

One of the best actually

In that case, the solution is not to prevent third parties from the app to the server itself, but prevent third party uploads.

For that the best way is probably with Device Check on each upload.
So basically doing an appwrite function that receives the upload and if the Device Check is valid, then it's stored in the Appwrite storage

That is too extreme

But maybe more effective

As I said do a device check when the user wants to login that should usually provide enough protection because when the user is able to pass the check it means the phone is not jailbroken

Not jailbroken => not able to retrieve the session token

Ps @void minnow Give this a 👍 😉

https://github.com/appwrite/appwrite/issues/4791

But to be honest devicecheck can be bypassed as well lmao

This is the reason why we are having this talk because in the security world you try to stack multiple layers of security measures

Yes, makes sense, but what if it's done after the login? Then we will be at the same point 😅

Anyways, it's easier as you mentioned

is this implemented yet?

If the device passed the check then it probably means that the device is not jailbroken. If it is not jailbroken or anything then it means the app is not reverse engineered or hooked

They should also not be able to extract the session

No

Nope, it's a feature request, that's why I recommend giving it a 👍 as the team usually implements the requests that are top voted

ohh ok

@dim epoch i can't find the german app anywhere. would be helpful if i can study that app.

Where are you located

india. but won't i have atleast some webpage to check the basic idea?

like their about page or something?

It is an app and used to be mainly used by college students back then before it gained so much traction

Jodel

Users were able to make "anonymous" posts. You didn't need to signin. You could signin if you wanted to save the points but it was not mandatory. There was no username or anything.

It only showed in what city or location the user is in

It was funny when I was using the app abroad in some tourist locations

People asked where one could buy weed lmao

ok my idea was that i create a account but system generated so that they can have followers and such. and store their auth key on keychain so that they don't loose their account. if they want a new identity they can simply relogin as everything is system generated.

That could work

In case they haven't patched that loophole yet then you could also use identifierForVendor id. It should be unique among all iphone

If you want you can pass that during your devicecheck as well and store that in the database

So each phone can only create on account if that is what you want

You have to state it in the privacy policy tho

will check. lets see