cancel
Showing results for 
Search instead for 
Did you mean: 
This post has been escalated to our Support team for one of the following reasons: it requires sharing personal information, the intervention of an admin, or multiple exchanges. We may also escalate to our Support team if a topic is highly complex or technical.

List of domains that the application uses

Mauro
Mt. Kenya

Hi All, 
I am looking for the list of domains that the application uses (e.g., api.strava.com, etc...) or a list of IP addresses for the application. 

I need it in order to detect the traffic originated from Mobile users to Strava and allow this traffic while stopping all the other. 

Many thanks for your help. 

1 ACCEPTED SOLUTION

Elliott
Community Manager Community Manager
Community Manager

Hi there, 

We've escalated this request to our support team and your inquiry will be handled accordingly. 

View solution in original post

6 REPLIES 6

JorisCohort
Mt. Kenya

Hey @Elliott ,

Is there any news about this subject? Thanks

 

endurabyte
Shkhara

Hello,

A safelist of IP addresses and/or IP address blocks is necessary. Otherwise it would be possible for anyone who knows my routes to call. Garmin provides this to its developers.

Here's what I've seen on my webhooks today:

  • Screenshot 2023-08-23 132801.png

My strategy without further support will be to allow only these that I see as a result of my interactions during development.

Please also remove blocking the sharing of IP addresses. Good grief.

Screenshot 2023-08-23 132829.png

Thanks,

Doug

Founder, EnduraByte LLC. Check out FitEdit, our Training Data Editor. https://www.fitedit.io/

Offering additional threat assessment and mitigations in the absence of an IP safelist:

When considering all of the exposed Strava endpoints on my webserver, I don't see any serious threats (other than DOS attacks) except the webhook callback, which needs some special attention:

  • Token exchange endpoint (Where you redirect your users after the authorize page).
    • Threat model: This endpoint accepts a token code. The fact that a code exists means the user gave permission; interception is of no value. Moreover, only a legit user will have one that can be exchanged for an access token.
    • Mitigation: Detect a non-success status code from Strava at /oauth/token.
    • Caveats:  You can still get spammed (DDOSed) with bogus codes. Strava might think you are the threat calling /oauth/token too much.
  • Callback challenge (with hub_challenge and verify_token).
    • Threat model: Only Strava will have your verify_token.
    • Mitigation: Check the verify_token.
    • Caveats: 
      • You can still get spammed (DDOSed) with bogus codes. There's no call to Strava, so they don't think you are a threat.
      • Your token could be guessed (try until they get an echo back), but it's not of much value. The user will just get their challenge echoed back.
  • Webhook callback
    • Threat model:
      • Subscription IDs seem to be issued sequentially, and I am getting IDs less than 250,000, so it's possible someone could scan them linearly and discover yours.
    • Mitigations:
      • Check given subscription_id against your known ID(s).
      • Check owner_id against your known authorized users.

 

Hope that helps,

Doug

Founder, EnduraByte LLC. Check out FitEdit, our Training Data Editor. https://www.fitedit.io/

SzymonWo
Shkhara

Hi @Elliott 

When we can expect the solution or any answer?

SzymonWo
Shkhara

@Elliott Is there any response on that question? I also need to restrict the traffic to my server, and allow only connections from strava. Thanks.

Elliott
Community Manager Community Manager
Community Manager

Hi there, 

We've escalated this request to our support team and your inquiry will be handled accordingly.