Question on connection of Atlas db with application

Hello, everyone,
I am developing a card game for mobile devices and while searching for a system to save all player data, I came across MongoDB!
I am following the basic lessons of MongoDB, but I have some doubts that I hope some of you can clear up for me.
As I wrote to you just now, I would need to constantly save all my players’ data, so that they are always safe and updated in real time (cards owned, statistics etc.), if I use a service like Mongo Atlas, can I have the application communicate directly with my db? If yes, is there a way to make the communication secure? I ask this because I wanted to understand if a user, by decompiling the app, can manage to enter the db and have access to all the data.
If not, do you have any advice to give me on this, perhaps on the best method to use for my needs?

Thanks

Hi @Andrea.

Atlas have a built in security mechanisms to verify that the cluster is secured.

  • Username/Passwords - do not expose those in plain files
  • SSL/TLS for all of the connections
  • X509 or AWS IAM authentication to strengthen the application identity.

Additional available mechanisims

  • Encryption at rest
  • LDAP and Auditing integrations

https://docs.atlas.mongodb.com/setup-cluster-security/

If you follow our best practices and recommendations your application should be secure.

Having said that, if you want an ease and agility of mobile development with all the above cluster security as well as integrated Auth providers (Google/Facebook/JWT etc) consider exploring the MongoDB realm platform:

Please let me know if you have any additional questions.

Best regards,
Pavel

Your mobile application should not communicate directly with your MongoDB Atlas cluster. MongoDB Realm (or equivalent) must be in between to handle authentifications and permissions. If you choose not to use MongoDB Realm, then you need your own backend system to manage the authentifications and access rights.

Also, if you want to deploy a new version of your mobile app and change the data model or something else, you will have to make sure you are retro-compatible with the oldest version as some users might never do the update.

You need a backend service in between to make sure you stay in control. Multitier architecture - Wikipedia

The mobile app is just the presentation layer. It should just present the data. Not manipulate it. Each operation must land in your backend system where your can check if the user is authenticated and check that the user has the required permissions to do this action. You should always be in control of your data. The “orders” should not come from systems you don’t have control over.

Thank you for your answers @Pavel_Duchovny, @MaBeuLux88!
I think MongoDB Relam is for me! By giving users the ability to connect directly to the Atlas db, I would give them the ability to modify their data at will, and this doesn’t have to happen (for example a player who buys a 5 gold pack might tamper with the request and add 5000 gold instead of 5 to his account).
I’ve given a quick read to Relam’s features, and I think I’ve figured out that I need the features. I could write features that interact with the db, and have users call up those features (this way I don’t give users direct access to the db). Right? Or are there better methods to use?

I also have another question: Is it possible to call up functions via an HTTP request of the app and have an answer (for example a JSON file) always via HTTP? To make a simple comparison, as would happen with a .php page that communicates with a MySQL db.

Hi @Andrea,

Yes those are called Http webhooks;.
https://docs.mongodb.com/realm/services/http/#incoming-webhooks

See this post as well:

Thanks
Pavel

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.