I use Parse on a couple of projects, I also work (separately, I hasten to add!) on apps for carriers with significant security issues.
I would say that you shouldn't really worry about 'sniffing' traffic, because whatever countermeasures you take chances are if someone cares enough they'll work around it.
Parse has an access-control model for objects: objects can have read/write permissions for users, groups, or everyone. For example, you might have an object in Parse representing a comment, which the owner could edit and everyone else read.
Obviously the Parse API itself is rather public, and it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.
it wouldn't take a huge amount of skill to extract your client keys from an Android / iOS app: but as long as you've designed your ACL (access control list) correctly, it won't matter as your user will have to be logged in and authenticated to access sensitive objects.
But it's possible to edit the ACL from a client. Isn't that a potential weakness?
Editing the ACL is subject to the same access restrictions, similar to how Unix ACLs work. So, for most cases this is sufficient. If you have more complex security needs, we're glad to discuss how individual apps can be secured. Drop us a line at feedback at parse.com.
Thanks. And I will likely do that. Before I do and if I could borrow some more of your time: would using Parse qualify an app as containing encryption, in regards to the AppStore submission/guidelines?
Parse does use https:// connections for all data, so you should take whatever action you would normally take for an application that communicates over https. That is the only form of client-side encryption used.
There is per-user authentication. The PFUser class (in iOS, Android is ParseUser) handles this sort of authentication automatically for you, and there are also hooks to do it with a bit more effort through the REST API.
Having seen how easy it is to look at the plain traffic a mobile app sends with http://mitmproxy.org/ I would have concerns to use this.
Or is there some per user authentication?