Is using parse.com framework safe?

Question

I would like to start using Parse.com to build a new application. I read the good documentation on their site but I am afraid there is something I might be missing out.

I understand that I can add DB data from the application. Assume I want to save some "note" to DB from my Android application - As I can see I am calling from the Android SDK a method that saves it into my DB:

String data = txtnote.getText().toString(); // read the note from the view
ParseObject note = new ParseObject("Notes"); // saves to notes DB
note.put(USER_NAME_KEY, username);
note.put("note", data);
note.saveInBackground(new SaveCallback() 
{
    @Override
    public void done(ParseException e) 
    {
        // DO SOMETHING
    }
});

I am wondering whether this code is safe? It seems that if someone tries to reverse engineer my code he can actually see some information about my parse account (when I initialize the application I use APP_ID and CLIENT_KEY). If I compare it to using a REST API installed on some server then I only send the data I want to store with the authentication key for the user?

Am I missing anything? Is there a way to completely make some king of REST API on parse.com using the cloud code? without only the need to to some operations before save?

I will appreciate your answers and if you can direct me somewhere I can learn more.

ashoke · Accepted Answer · 2014-10-10 00:59:04Z

1

APP_ID and CLIENT_KEY are just used for making a connection to parse servers, not authorization to modify your data. MASTER_KEY is the crucial and important one, and you will not have that plain in your apk, so nobody can reverse engineer your apk for it. Please see this notes on connection between client and server on parse doc site.
Yes, certainly you should move data sensitive operations to cloud code, and only do not-so-sensitive ops in your clients/apps. See this notes on implementing business logic and security related ops in cloud code using the MASTER_KEY.
Additionally, you should consider taking advantage of Class level and object level (ACL) restrictions and access permissions. When you create your data model, make sure to carefully configure their access levels.

answered Oct 10, 2014 at 0:59

ashoke

6,4712 gold badges28 silver badges25 bronze badges

Sign up to request clarification or add additional context in comments.

4 Comments

user1002065 Over a year ago

Thank you for your detailed comment. Is there a way to user cloud code as a REST API that I can configure to a resource URL? Instead of using the predefined operations before\after save\delete?

ashoke Over a year ago

@user1002065 All your parse data model can be accessed via REST api already

user1002065 Over a year ago

Hi, that I know, but I am asking whether I can add my own functionality in addition to the out of the box REST they provide. I want to add some custom business logic in the middle. Is it possible? Thanks

ashoke Over a year ago

@user1002065 yes it is. Add custom logic in cloud code, it gets automatically called when you REST api calls, just like non-REST api calls. You can even use webhooks if you want to customize the cloud code even further

Collectives™ on Stack Overflow

Is using parse.com framework safe?

1 Answer 1

4 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

4 Comments

Your Answer

Sign up or log in

Post as a guest

Related