I came across a very useful local SaaS company today and whilst scanning through their API docs, I came across some sample code that used HMAC signatures in a way that kinda struck me as odd. I’ve included the Python version for brevity but it’s the same across all the listed languages
So here’s the rub:
-
If you ask the dev to sign and verify the messages, then surely you assume the message may be intercepted and modified in transit or at rest somewhere in the chain. This is a safe and modern assumption even with HTTPS.
-
Since SMS content can be very confidential, it is bad enough to allow an attacker to even observe the message. You can provide both confidentiality and integrity by encrypting and decrypting messages with
a) RSA or Elliptical Curves keys where the public keys are pinned to the app, or
b) AES symmetric keys that are unique to the app.
Is anyone using HMAC signatures over an HTTPS? Is anyone pinning certificates to their app? It will be good to have a discussion on the merits of both design choices.
NB
To be clear, there is no egregious flaw in the code. It is just worth considering that HMAC signatures may be the wrong tool if you are concerned about your app’s data being intercepted.