Security of Server Actions in Mobile Apps

We recently started testing a mobile app built in OutSystems. I'm trying to review it for security concerns, but don't have enough understanding about how server actions are invoked from the app. My understanding is that client actions run on the device itself, but server actions are exposed via REST on the server side.

Say we have a server action that takes two parameters: Username and Password

This action updates that user's password. Think of it as something that might facilitate a password reset.

At first glance, I don't see any way for something like this to be secure. What would prevent other users from calling this endpoint with other usernames? Is there anything I'm missing? My assumption is that server actions would NEED to have / explicitly integrate some sort of user context in order to properly secure the endpoint when dealing with user-specific data. In this case, if we're updating the password, we might also need to pass a secure token that was generated for that specific user (and would only allow that single user's password to be updated).

This is an extreme example, but it could also be applied to things like viewing / updating addresses, preferences, etc.

I apologize if I'm missing something basic here. I am still relatively new to OutSystems, and this is our first mobile app. I tried searching for other posts on this topic, but was not able to find anything substantial.

Hi,

As long as the screen is not made anonymous, these rest call always send the cookie to identify the user. Inside your server action you can check for getuserid() function and get the data from user table and check if the username matches. For other use case for update, make sure you are checking if the user has proper role in addition to getuserid().

You might want to check the training or recently Justin James took a session on security in react (Recording), may be you can learn something new there.

Regards.  

That makes sense, thank you!

Do you happen to know how OutSystems exposes these actions via the REST service? Say I have a traditional web app and a mobile app, both of which share a CS layer. Does that mean that all of the actions from those CS modules are then exposed via REST? Or does it selectively expose only the actions that are actively referenced by the mobile app?

Hi,

I am not 100% sure here, my understanding is that it selectively exposes those which has been used in client action.

Regards.

Hi guys,

I’ll make it 100% procent Prasad. :) 

Server actions are only exposed via REST API when they are being referenced inside client actions in Mobile Apps and Reactive Web Apps.

Regards,

Nordin