Category Archives

61 Articles

Parse Security: Securing Your Open Source App Stack

What Is Parse?

Parse is the most commonly used open source framework for developing application backends. It was introduced in 2016 and is backed by a large community of developers. It is a proven platform that can accelerate web application developments at any scale.

Parse is a Node.js application that is deployed on hosts in a cloud platform like AWS. It provides APIs for user authentication and stores data in a document storage. By combining a mobile SDK with a backend service, Parse provides features including several user authentication methods, social login, creation and querying of arbitrary data models, push notifications, and the ability to upload files to a server for client-to-client access.

Parse Security Challenges

Open source security is a major concern for most organizations. While open source platforms like Parse can be highly beneficial, they often present vulnerabilities that must be identified and resolved. Here are some of the main security concerns with the Parse platform.

Default Settings 

Parse tries to accommodate less technical developers, making it easier to produce the entire backend for mobile applications without programming. Developers can handle all or most of the server setup, including creating and inserting classes, via the Parse dashboard. However, some important security features are not enabled by default, so users must configure the right settings to secure their application stack.

All stored data in Parse resides in class objects, with the users class storing all user data by default. These class objects should not be automatically searchable, especially if they contain sensitive data. Parse lets developers restrict access to object classes using object-level access control and class-level permissions. 

These security features offer more granular control over stored data in Parse instances and prevent unknown users from accessing any instance in a protected class. However, the user has to turn them on—otherwise, all class objects in Parse remain searchable, and anonymous, potentially malicious users could access sensitive data in objects like the users class.

File Upload Restrictions

Automated file upload is a requirement for many web applications. Another major vulnerability in the design of the Parse server is the file upload functionality. The file adapter submodule allows the Parse server to upload all files by default. Users can block uploads of specific file types using hooks in Parse Cloud. It is still impossible to prevent a potential attacker from uploading file types via the Parse dashboard, a popular GUI for developers to work with the Parse server.

Once a file is uploaded, it is accessible without authentication headers, so an attacker could easily share it. The only way to mitigate this risk is to obfuscate the name of uploaded files. This method can make finding the files uploaded to a bucket harder, but it doesn’t stop attackers from uploading malicious HTML files to the server or sharing malicious URLs with the victim. 

Applications typically serve the uploaded Parse files from the primary domain, creating serious vulnerabilities for all users. If an application serves uploaded files from the same domain as a web portal with cookies, it may place all users at risk.

Securing Parse

Here are best practices you can use to secure your Parse deployment, both at the class and object levels.

Client vs. Master Secrets

When an application connects to Parse for the first time, the application identifies itself with an ID and a client secret (this can also be a REST secret, .NET secret, or JavaScript secret, depending on the platform being used). 

By default, the client secret is not protected and it cannot protect the app. Anyone can find the client key by decompiling the application from the device or proxy network traffic. You can see this most easily in a JavaScript app—find the client key by simply viewing the source of application pages in your browser.

Because client keys are distributed to users, they should be considered accessible by the general public, including threat actors.

A master key, on the other hand, must be strongly protected. Master keys can be used to bypass all security mechanisms in your application, such as class-level permissions and ACLs. Obtaining the master key is equivalent to gaining root access to the application server. Protecting your master key is a central goal of a Parse security strategy—just like protecting the root password on a production machine.

The general idea is to limit the capabilities of the client (using the client secret) and perform any sensitive operations in Cloud Code, requiring the master secret. Learn more about Cloud Code in the Parse documentation.

Class-Level Permissions

Another area to secure is the schema and data level. You should limit when and how client applications can create or access data in Parse. When you first start developing Parse applications, insecure defaults are set to maximize initial productivity—as you transition to production, you must configure Parse to protect sensitive data.

Configure permissions to assign to specific users and roles in your application on a least privilege basis, rather than granting universal access. A role can group users or other roles together to provide the same access permissions. Roles are assigned to objects to limit their use. Permissions granted to a user role or other role are also extended to its children, creating an access hierarchy for your app.

Object-Level Access Control

Consider how users can access data. Object-level access control allows you to separate one user’s data from another user’s data. Different users may need to access different objects within a class—for example, a user’s personal data must only be accessible to that user.

Parse also supports the concept of anonymous users in applications that store and secure user-specific data without explicit login.

When a user logs into your application, a Parse session is started. During the entire session, users can only add or modify their personal data, but not other data.

The simplest way to control who has access to what data is via access control lists called ACLs. ACLs work by providing each object with a list of roles and users and a list of permissions for each role or user. Users must have read access or be assigned to a role that has read access to retrieve data in an object. Users also need write access (or be assigned to a role with write access) to modify or delete data. Set user permissions carefully to ensure each category of users has exactly the permissions they need and no more.

Securing File Upload

As mentioned, Parse suffers from an infinite file upload vulnerability, which you will need to mitigate. This can be done at the bucket level, as recommended in the Parse documentation. 

For example, to restrict file upload types in AWS, add the following statements to your bucket policy:

  • The s3:PutObject operation should only be allowed on objects that require a file type extension.
  • The s3:PutObject operation should be explicitly denied on objects that do not have the required file type extension.


In this article, I reviewed the main security concerns in the Parse platform and provided several best practices to help you overcome them:

  • Client vs. master secrets—ensure that external entities with a client secret cannot perform sensitive operations and restrict master secret operations using Cloud Code.
  • Class-level permissions—configure permissions to secure the schema and datastore.
  • Object-level access control—define ACLs and roles to ensure that each user can access the data and operations they need, and no more.
  • Securing file upload—prevent unlimited file upload by adding limitations to your cloud storage buckets.

I hope this will be useful as you improve the security posture of your Parse applications.

Web vs Mobile Apps – What is the difference?

This article will explore the differences between web vs mobile apps. It is not unusual for people to think that mobile apps and web apps are the same thing. However, there are some distinct differences between them, such as in how they’re distributed and how they perform. These factors have a significant impact on their intended use.

How to Design a Trustworthy Mobile Application

In this digitally dynamic and competitive landscape, mobile application users have become exceedingly picky. Users are always willing to shift whenever they find anything shiny. This state of turmoil is taking place because tons and tons of mobile applications, products, and marketers are striving hard to grab the attention of users. App users throughout the globe have developed enthralling and unique applications. 

Mobile app Development Company all over the world have developed extraordinarily high standards that are further challenging mobile application professionals. To comprehend the challenges faced by both startups and full-fledged companies, there is a need to focus on the nature of mobile. Although mobile phones are portable and feasible, they are also exceedingly personal. It is one of the reasons why it is pivotal to gain the trust of users. If you want to see your application successful, then there is an immense need for you to deliver the information. 

To help you out, there is a compilation of various tactics that will make your application trustworthy in front of users. The implementation of these tactics will get more users to your application. Additionally, this retains the users and communicates to them that you give utmost priority to their requirements. 

Real-time NextJS applications with Parse

Real-time NextJS applications with Parse

We recently published an introductory article about Next.js and parse, in which we talked about what is Next.Js, what is Parse, and how they’re a perfect match for building awesome performant applications.

If you haven’t read it yet, I highly recommend that you check it out on the NodeJS article, since we are going to use some concepts learned in that article.

In this article, we’re going to explore how to build real-time applications using a Parse Hook for a NextJS application. Hope you enjoy 🙂

Most Popular Programming Languages that Will Dominate 2021

Programming Languages have evolved to become an integral part of many disciplines, including Machine Learning, Data Science, and Web Development. Today, there are so many programming languages, and newer languages continue to emerge regularly.

Some of the currently available languages have already gained a reputation over time, and this is due to their continual improvements. We have outlined seven that will be relevant in 2021. You’ll also find where you can learn these languages in this article.

Understanding Managed Services And Its Benefits On App Development

Applications are the most popular software in the world. It became a big hit during the smartphone takeover and is now used for various functions. The business sector is one of the primary beneficiaries of application development and is partly responsible for different industries’ success.

Businesses contact third-party developers or hire people to develop an app that they can utilize to market their services or products. Another reason why different industries resorted to using apps is to adapt to modern times. Amidst globalization, it’s more appealing to consumers if your product or service is available online.

Such an asset can only be created through a painstaking process, and sometimes you’ll need all the assistance you can get to ensure its completion. This is where something like managed services come in handy. To expound on this topic further, continuing reading to understand managed services and their benefit on app development.

How Mobile Apps Can Be An Asset For SMBs

How Mobile Apps Can Be An Asset For SMBs
Benefits Mobile Apps SMBs

What is the first thing that crosses your mind when we talk of small business owners? More often than not, it will be the lack of financial muscle that bigger companies have. The parity in the resource available is quite considerable. 

When it comes to scaling their business, large business houses have it easy while small business finds it difficult. Limitations breed innovativeness and change. 

Grow your business with Mobile CRM

With Mobile device usage growing by leaps and bounds across the globe, mobile apps are making headway in business mainstream to help businesses achieve their CRM goals and sales objectives. A study recently conducted by one of the world’s leading statistics portals Statista reveals that mobile app downloads are likely to reach 129 billion in 2020. The study further states that the number is expected to increase to 161 billion by 2023. The figures are enough to prove that mobile applications are finding their usage across industries throughout the globe. 

What is AWS Savings Plans?

It’s no secret that using RIs – Reserved Instances generates significant savings on AWS – Amazon Web Services.

To help its customers get even more out of this savings, AWS last week launched Saving Plans, which like RIs, make it easy to buy computing hours and still generate significant discounts on your AWS account.

What is AWS Saving Plans?

It is a new flexible rebate model launched by AWS that aims to save money on the use of computing services. This model applies to Amazon EC2 service instances regardless of AWS family, size, operating system, or region (except China) and also to other computing services such as EMR, ECS, EKS, and Fargate.

Saving Plans offers more than one type of plan over different durations, payment options, and automatically adapts to computing usage, making it simple to save – one of the biggest pains for Reserved Instance users.

With Savings Plans AWS customers commit to a cost per dollar measured per hour over 1 to 3 years. If the expense exceeds the stipulated amount, it will be charged on-demand rates.