Mobile Development Gains in Databases and Authentication
This episode of The New Stack Makers podcast series with Okta explores database and authentication requirements for securing mobile applications.
MongoDB Senior Product Manager for Mobile Ian Ward, and Okta Senior Security Architect Aaron Parecki are guests for this podcast, which was hosted by Alex Williams, founder and publisher of The New Stack and Randall Degges, head of developer advocacy at Okta, an API security firm.
Ward was one of the chief developers behind the Realm mobile database and Parecki is the spec editor and member of the working group for OAuth, an industry-standard protocol for authorization widely used for web applications. Parecki, also a prolific blogger, noted how his fascination with how OAuth “relates to identity and the online privacy and security world.”
Okta Series – Mobile Security Dev, a Database and Authentication POV
Part of the conversation focused on how the move from OAuth to OAuth 2, introduced early last decade, benefitted developers.
The previous version of OAuth was less developer-friendly, according to Parecki. “OAuth 1 was doing a lot of things that were extremely frustrating to developers around basically making developers do the cryptography layer in their own code of canonicalizing requests and doing signing and things like that — that’s not a good developer experience. And it was basically, the reason that OAuth 1 ended up being mostly a failure, and thankfully, got fixed pretty quick with OAuth 2,” said Parecki.
One of the main features of OAuth 2 is how it has “prioritized the developer experience of the app of the spec” in order that “people using the OAuth 2 spec would have an easier time getting started as developers writing against OAuth servers,” said Parecki.
“That’s something that I know myself and most of the others are keeping in mind: we want to make sure that the spec is easy to use for developers so that when people write services using the spec, those services are also easy to use for developers. So, [we are] prioritizing developer experience for sure,” he said.
For the mobile developer using Realm, the value lies in how there is “no networking code and transfer of data that the developer needs to write,” said Ward.
“If you are writing to Realm locally, in a background thread, the synchronization thread is trying to replicate that data to MongoDB Atlas, apply those changes, as well as pull any data down from Atlas that was written while it goes offline,” said Ward. “So, the kind of the big value here is that these mobile applications can go offline and you can use them as if they were online — it keeps a queue of all the operations.”
Realm is also an object database, “so you’re used to using objects, because that’s what all mobile apps are built-in, it’s object-oriented programming,” said Ward. “We have a class in your iOS code, that is the schema for your database. So, it’s very natural for developers to use Realm in that regard.”
Part of the inherent difficulty in securing mobile apps is “you can’t embed API keys in them if you want to hide the API keys,” Parecki explained. “So, if you’re shipping a mobile app in an app store, and you tried to put an API key into that app, anybody could go ahead and decompile it and find the API key,” said Parecki. “So, you’re not going to be able to use that the same way you would from server-side code to protect access to a database, for example, which basically means your options start to become limited.”
However, with OAuth 2, it is possible to securely communicate with a backend API or service without sending keys to the device. “The reason that it works is specifically because you are getting a user to approve that flow and login,” said Parecki. “So, by doing an OAuth flow, a user who is using an app will then actually use their own credentials.”