Queues for Mobile Web Application Security Architecture?

Question

Dear Security Mavens (of which I am not),

Your thoughts & suggestions regarding an application architecture for a mobile web application (e.g., HTML5 with Sencha Touch) are invited & welcomed.

To what degree would/does the use of queues (e.g., Amazon AWS' SQS) increase/decrease/have no effect on mobile web app security?

What do you think of this approach?

1. A user (say on an iPhone or Droid) uses their smartphone browser (e.g., Mobile Safari on the iPhone) to access a mobile web application via SSL.

2. The application on the server side of the URL does virtually no processing...except to accept JSON messages from the MWA (Mobile Web App)...INSERT those messages into one queue (AWS SQS)...monitor a second AWS SQS queue for a resulting message...which the Server-side app basically only returns to the MWA.

3. The "real" work of the App is done...on yet-another-server which is taking messages from the first queue...doing all the processing...formatting a response...and PUSHING the response (a JSON Object) onto the the second queue.

The thought process here is: the bad guys can't gain access to the processes running on the server doing the "real" work...which is also where the application's databases would be kept.

BECAUSE I haven't found this application architecture approach discussed in any of the threads (at least, not in a form that I recognize the architecture), I wonder if there are well-known issues (at least, well-known for security pros, such as yourselves) which render the approach un-attractive?

What do you think? Would this approach impeded the bad-guys? Naively fall into a well-known bad-guy exploit? Or...what?

Many, many thanks in advance for your comments and suggestions!

Answer 1

This basic concept is pretty standard for web applications, with Presentation Servers in the DMZ talking to Application Servers inside the network that then request data from Database Servers.

Or sometimes there are just two layers, but they are segregated by firewalls or routers with access control lists.

The communications may be by message passing, queues or direct connection.

Answer 2

This approach is definitely not unattractive. It is (not down to the letter but generally) how many well known web or mobile applications do their stuff. Isolation of the interfaces and systems which the users interact with from the systems which do the processing and data-manipulation is always a good practice.

The other aspect is to make sure malicious data or requests are handled properly even if the request reaches the application or database servers. As long as you follow good enough client side security practices (protect against XSS and CSRF, validate any session data server side to make stealing cookies difficult), the only remaining part is how the user handles their data, and that, you can only do so much about.