I am making a app where user can upload any image and get a link for that image. By using that link user can share that image something like imgur site. For this purpose I am using firebase storage. Now the thing is that link is containing some information and now I'm worrying the user might exploit things.
https://firebasestorage.googleapis.com/v0/b/"myappname".appspot.com/o/Image.png?alt=media&token="some token number"
So my question is, Is it possible for anyone to exploit or do any harmful thing through above link?. I'm not using any authentication rules for storage.
What you're showing is a download URL to a file in Cloud Storage. Anyone that has this URL can read the file associated with it, regardless of the security rules you've set up.
That is precisely the level of abuse you're opening yourself up for when you share this URL with someone: they can read the file, and/or share the URL with others who can then do the same.
This is the same as when you'd give them the URL to another file that is hosted on a service you own - and which is not secured.
Related
I have an android and iPhone app, and the apps are getting data
from my website based on some conditions they select on the app.
I created a secured url that is not open to the public (can't be find on our website) and using a hash code that I thought was secure enough. Something like the following
http://test.com/data/get_data.php?key=akl;sd8234
The extra conditions they select in the app will be append as query parameters to the same url.
Base on the condition, the php file will then out data in json format.
However, I discovered recently someone else create the exact same app and actually getting data from my server, and from the secret url that I created. The reason I know is because I change something on that secret get_data.php page and it reflected on their app.
I don't know who they get a hold to my url, is there a way to create a more secure way to pass the data from my web server to the app so others can't steal my data?
You should create an API with Basic Auth or OAuth. You can't rely on your URL because it can be caught in logs.
Check this course out
In addition to shayegh's answer, you need to understand that every endpoint that you access within your application is public by nature. Everyone can access your server's endpoint just as well as your mobile application (created by you) can. However, you can make your server's endpoint protected by adding authorization requirements on your endpoint.
Authorization
There are many authorization protocols out there, OAuth, OAuth2.0, Basic Auth (credentials like email and password), etc. All of these are just ways to grant anyone access to resources in your endpoint. Think of it as a lock on your home door, only someone with a key can go into your house and make a mess.
Please keep in mind that this is a very simplified version of what authorization protocols actually look like, how it actually secures the distribution of access keys/tokens, etc.
Additional questions and answers
I tried to generate log files from my android phone, and I can't seem to find the .php file from the log files. Is that possible for someone to decode the android app or the iphone app so that they can view my source code?
Answer: I would always assume that everything that is happening on client's side (mobile app, WebApp's front end, etc) is beyond my control. That means anyone can access, read, tweak my client applications. With that said, I would assume that it is indeed possible for someone to unravel your android / iPhone app (get the source code) to get your client side keys.
How would this (OAuth/basic) help? Surely the person creating the other app would just add the OAuth/basic auth as well, wouldn't they?
In order for that other person to access the protected endpoint they would need to have access to your access tokens of the original app. On top of that, they would need to do it fast because usually access tokens only lasts for a short period of time.
Will using Basic Auth or OAuth key works if they are able to see my code?
Yes and no, depending on your implementation, attackers might be able to unravel your app and somehow fetch user's credentials or tokens from bad practices.
I am trying to create an app using Android Studio. My client wants to create an app for their online medicines website, wherein the user can take a photo of their prescription, the photo will be accessible by the admins and they can use that image to understand what does the user require and deliver those medications at the user's doorsteps.
So can anyone please guide me through with making this page, or maybe share a link where the making of such a page is shown? Would be really helpful, thank you for giving me your time.
There can be several possible approaches for this type of questions/requirements. I am mentioning a few steps to guide you through the process.
You will have to create a webserver, which will be storing the user data (profile, uploaded prescriptions, etc.). The user data (textual) will be stored in the Database, however, the images will be uploaded in a directory over the server, and their corresponding links will be stored in the DB for reference.
There will be a webserver API which will fetch user data (user unique ID) from app and then store it in the DB. The image part can be accepted in several ways: MultiPart, Base64 encoded, Byte Array Converted
All these methods will send the image info from the android app to the webserver, which will follow the logic mentioned in Point 1 and save the image.
The Android app will have an activity where the user will either capture an image of the prescription form, using Camera, or can upload the image (if already captured/downloaded). You will have to learn doing this from similar links as these:
https://developer.android.com/training/camera/photobasics
Dialog to pick image from gallery or from camera
The Android app will send the unique ID of the user, along with the image data, to the Webserver API, which in-turn process as per Point 2.
You can start implementing the process and then can turn up to StackOverflow again for guidance. There are numerous tutorials to implement a similar functionality too.
https://www.simplifiedcoding.net/android-upload-image-to-server/
http://programmerguru.com/android-tutorial/how-to-upload-image-to-php-server/
https://www.codepool.biz/take-a-photo-from-android-camera-and-upload-it-to-a-remote-php-server.html
All the best!
I have an app that reads some CSV data from a file in the DocumentsDirectory but I would like to be able to read similar data into the app via an email attachment or by feeding it to the app on start up. I know I can use iCloud, Box or other sharing schemes but I'd like to select the attachment in an email and open the attachment with my app. I'm not sure my intended users would have iCloud or such access points.
Due to security reason, this may not be possible. Your file should be in Resources or Documents directory.
But, you may be able to update data from csv by loading it from a web server. The user may click on a "Update button" to get the new content.
I am very new to this concept ,when i share my image and text to other app,my domain name was visible but i want to encrypt it and when user click that link it should be redirect to my play store app URL ,i google it but I am getting any solution for ,i saw this functionality in many app please help me how to d this here below one of the app show like this i need to encrypt and redirect to play store without opening that URL i need to redirect to play store please any one help me how to do that,here below one of the app using like this encryption and redirection with out showing their Main URL .
Here below the Image
What you see in the image is not encrypted. It's an url Shortener. And in this case it's from google. Documentation about the Google URL Shortener
I think to make safe calls you need to encrypt it while sending and when user click on that image now you want to redirect to play store URL, so now decrypt it.
I found one library to do this job below is the link for example
https://github.com/simbiose/Encryption/blob/master/Examples/Android/app/src/main/java/se/simbio/encryption/MainActivity.java
I’m building an Android application that I want to publish only once, but want it to connect to 2 different servers. The application will be downloadable with a QR-code
For example, my friend has a moviedatabase on his own server and I have one. Without manually writing the server url in the application settings, I wanted to modify the .APK file or the QR code, giving it a parameter. So when my friend scans in the QR-code which I make for him, I want his app to connect with his server. When I scan my QR-code I wanted it to connect to mine. Right after the installation of the .APK.
Is this possible? Or are there any suggestions how I can put the server url “somewhere” without entering it manually in the code?
There is another option. Making a textfield that the user can fill by scanning a QR-code. But for me, that is still manually entering the URL.
Any suggestions or advice are welcome.
What is the problem to store server url in preferences and make an extra Activity to grab qr from camera and change the preference
This isn't supported functionality on install. There's no way to link to an Android Market url with extra information to be executed as a post-install script. You can include a QR code scanner in your app (I believe ZXing is open source and/or free to use, for example), and you can have the server info encoded in the QR code. You can save this to any persistent storage (such as SharedPreferences or SQLite) and then use this for all future data requests.