CSRF tokens for mobile apps

Anish · May 20, 2012, 11:26pm

I have an existing rails backend website which makes json ajax calls to my server and I was passing csrf tokens in every ajax call. Now,I am developing a mobile iOS app to use the same backend and send calls in json. However, mobile requests are failing with “Can’t verify CSRF token authenticity”, because i dont know of anyway to send the csrf token to rails from app.

Looking around, many people are suggesting to disable CSRF protection if the call is json call - but I dont want to do that because my website all uses json calls and that leaves my site open for attacks.

My question is:

How can i let my iOS app know the rails generated csrf token to use it in all app calls to server? Is it possible
Is there any other way that I can work around this problem?

Thanks, Anish

Daniel_Shimoyama · May 20, 2012, 11:57pm

Anish,

Check out this post

see u

Anish · May 21, 2012, 12:14am

Hi Daniel,

Thanks, I saw this post earlier. but this suggests me to remove csrf verification - which i dont want to do. Because, thats a security vulnerability. Attackers can send POST requests from another site for currently logged in user. Specifically my questions are:

How can i let my iOS app know the rails generated csrf token to use it in all app calls to server? Is it possible
Is there any other way that I can work around this problem with out compromising security?

Thanks, Anish

jimc · May 21, 2012, 2:42pm

I have an existing rails backend website which makes json ajax calls to my server and I was passing csrf tokens in every ajax call. Now,I am developing a mobile iOS app to use the same backend and send calls in json. However, mobile requests are failing with "Can't verify CSRF token authenticity", because i dont know of anyway to send the csrf token to rails from app.

This isn't so much a rails question as an iOS programming question. In addition, a little very simple googling shows everything you need to know to be able to do this (simple enough that it's obvious you didn't even try).

Check out

to see how the token is sent to a browser. You can probably just use:

<%= form_authenticity_token %>

to set the value of the token in your initial response to the iOS app. A quick test shows that AJAX requests to the server include the token as a custom header in the request.

To learn how to set a custom http header in your iOS app, see:

Jim

11155 · December 29, 2012, 4:59am

Hey Jim, don't be a jerk, especially when your answer is wrong.

Using <%= form_authenticity_token %> doesn't work because you don't have a server to dynamically insert content into html as an app is static and packaged on the client device (iPhone/iPad).

CSRF should not be a possible attack inside of an app. Your session is isolated to the app and cross domain origin policies in the browser will prevent the attack. Also, since you are using an app you can implement sessions without the use of cookies entirely.

mkristian · December 29, 2012, 8:50am

that is straight forward: just copy the form_authenticity_token to a header field and let your app send it back as header

github.com

mkristian/ixtlan-translations/blob/master/app/controllers/local_controller.rb

#
# ixtlan_translations - webapp where you can manage translations of applications
# Copyright (C) 2012 Christian Meier
#
# This file is part of ixtlan_translations.
#
# ixtlan_translations is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# ixtlan_translations is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with ixtlan_translations.  If not, see <http://www.gnu.org/licenses/>.
#
class LocalController < ApplicationController

This file has been truncated. show original

that is the controller I use as base for my controllers talking to rest-clients (GWT applications)

Kristian

Matt_Jones · December 30, 2012, 2:00am

Since this thread has been revived, it seems reasonable to mention that you may not want to use session state in your API at all - some HTTP clients may not support it out-of-the-box, etc. Oauth or Oauth2 is a possible alternative - there are some very slick gems to help with this (devise_oauth2_providable, among others).

–Matt Jones

Topic		Replies	Views
CSRF Protection and Mobile Clients rubyonrails-talk	0	132	February 13, 2011
Is It Possible for an Attacker to Parse and Submit Authenticity Token Separately? rubyonrails-talk security	2	1380	February 17, 2023
Ajax CSRF in Rails3 rubyonrails-talk	7	126	September 21, 2010
CSRF Protection Bypass in Ruby on Rails - I don't get it ... rubyonrails-talk	10	173	February 9, 2011
Regarding CSRF mitigation documentation in Rails rubyonrails-core	7	406	July 31, 2016

CSRF tokens for mobile apps

Related topics

More Resources