Android Question MQTT security

jayel · Aug 15, 2016

Hello,

I am using MQTT broker (mosquitto) on Ubuntu.
I have several apps working that connect to the broker (B4A and B4J), all in the local network.
The broker is username and password protected.

This is working very well, and my apps are doing well with my local users in the firm.
Now my boss wants to take it a step further, he wants to be able to access the broker from the internet.
Ok, no problem, I can configure my firewall and open a port to my MQTT broker.
But what about security?
I read SSL, B4XCypher (encrypt the messages)?
What should I use to protect my data?

John

KMatle · Aug 15, 2016

You mean "from a browser"? Do a login with username & pw (SSL is standard). Use Google Robot to check if it's a real user. Work with sessions. Search Google for examples how to secure it. There a re a lot of good examples. To much to describe here

Erel · Aug 15, 2016

Both options are possible.

SSL will be more complicated if you are using a self signed certificate. You will need to install the certificate on all devices and it will also require a static ip address.

jayel · Aug 15, 2016

KMatle said:
You mean "from a browser"? Do a login with username & pw (SSL is standard). Use Google Robot to check if it's a real user. Work with sessions. Search Google for examples how to secure it. There a re a lot of good examples. To much to describe here

No, from a B4A app.

Erel said:
Both options are possible.

SSL will be more complicated if you are using a self signed certificate. You will need to install the certificate on all devices and it will also require a static ip address.

So I can use B4Xcipher to encypt my messages? There is no security issue when I do it like that? And can I encrypt the topics?

Erel · Aug 15, 2016

jayel said:
So I can use B4Xcipher to encypt my messages?

Yes.

jayel said:
There is no security issue when I do it like that?

It will protect the data itself so if someone is monitoring the network traffic they will not be able to see the actual messages. It will not protect from anything else. For example if some has access to your app then they will also have access to the encryption key.

You cannot encrypt the topics.

jayel · Aug 15, 2016

Erel said:
Yes.

It will protect the data itself so if someone is monitoring the network traffic they will not be able to see the actual messages. It will not protect from anything else. For example if some has access to your app then they will also have access to the encryption key.

You cannot encrypt the topics.

OK, so beter to use self signed certificate?

Erel said:
Both options are possible.

SSL will be more complicated if you are using a self signed certificate. You will need to install the certificate on all devices and it will also require a static ip address.

We have an static IP, are there pointers to set this up? and do I have to change anything on client side of MQTT?

Erel · Aug 15, 2016

jayel said:
OK, so beter to use self signed certificate?

Only you can answer this question.

jayel said:
and do I have to change anything on client side of MQTT?

You need to change the connection uri to ssl:// instead of tcp://

jayel said:
We have an static IP, are there pointers to set this up?

You need to consult with the broker instructions. You will also need to install the self signed certificate on the clients.
http://android.stackexchange.com/qu...laims-success-but-android-acts-as-if-cert-isn

Android Question MQTT security

jayel

Active Member

KMatle

Expert

Erel

B4X founder

jayel

Active Member

Erel

B4X founder

jayel

Active Member

Erel

B4X founder

Similar Threads