I made an application which connects to SQL Server and write/read data and it works only on my IP address. I could can allow every IP address, is this risky or is there no way someone can see my database log in data?
It is 100% dangerous.
According to tags, I guess you are connecting to a SQL Server via an Android app. If that's the case, there are TONS of ways to find the credentials. For example, one can intercept the requests, decompile your code, or...
Even if you hadn't an Android app published, your server will be under heavy brute-force attacks on the Internet.
At least, you need a webserver to handle authentication, on your web server and then the web server connects to your database in a very limited and safe way.
Related
I want to have multiple clients that connect to a server over LAN and access/modify the mySQL database in the server.
How would i go about doing this? Can you guys provide some resources/links that i could research on the topic
To answer your question, you should be able to connect to a mysql database by adding the jdbc driver to your project as a jar file in Android Studio.
Now for a real app that you plan to distributed to thousands of users there are Security issues, Performance issues, and Scalability issues.
Security issues:
You expose your database directly to the internet by opening its port to public access for the apps to connect. A web app adds a layer in the middle, keeping the database access inside the intranet.
You expose your data directy to the public by providing at least one public account known by everybody (I assume this would be the way to access because managing one account per user wouldn't be realistic). A Web app isolates the user account from the database accounts.
By providing access this way, as android mobile devices can be rooted, you are potentially granting anonymous access to your data.
Performance Issues:
With a web app in the middle, it is the webapp who manages the
connections to the database. This enables sharing connections
amongst different users vs. one dedicated connection per user would
have if the different devices estable separate connections.
For the same reason, you can't take advantage of connection pooling,
which saves the overhed of establishing a connection to the database
for each incoming request.
Scalability issues:
As connections are not shared the number of concurrent users will be bound to the number of connections you can open at the same time to the database.
EDIT 1
I am adding an alternative I thought of which involves using a web application but it is not implemented using a webserver. It is a java NIO framework that runs on its own. The limitations of this solution is you need shell access to the server and java, which is not common in traditional hostings. Checkout Netty.
There are 2 ways how to do perform your task. You can either add the JDBC driver in android studio, or better implement a REST API that connects to your database, and all the android clients can send HTTP requests to the server and the server will add the information for you. Here you can implement the create, update, delete methods. For HTTP requests you can use Retrofit or Volley libraries.
If you want to use JDBC, check out the answer here How to Mysql JDBC Driver to android studio
But the best and most correct solution for this type of problems would be a REST Service
In the long run, you really need a "client" application between "users" and the database. It is usually done via a webserver, plus PHP/Java/VB/.... Yes, it requires you learn yet another language, but that is not something to avoid in a serious application.
The client can help (and hurt, if done adequately) with security. The client can insulate users from database changes, which will eventually happen. The client should 'abstract' the interface to the DB so that the users do not have to be SQL-savvy. Etc.
You have might installed WAMP Server / XAMPP Server for mySQL Database
Click on WAMP icon and select Apache, Open "httpd.conf" and find tag starts with
<Directory "c:/wamp/www">
...
</Directory>
and update the code as below
<Directory "c:/wamp/www">
AllowOverride All
Require all granted
Order Deny,Allow
Deny from none
Allow from all
Allow from 127.0.0.1
Allow from ::1
Allow from localhost
</Directory>
Now Create REST APIs in your local server as you might use PHP or whatever,
and connect android app with apis with assigned IP Address to your computer in LAN.
It is not one single answer, but a group of answers. Firstly what you need is the concept of data forwarding through introspected tunnels over the network. At the end of the day, your database is always listening on certain port, that is local to your machine, meaning only you can access and modify the contents of the database. For example if you access PHPMyAdmin, you can go the MySQL address on your local machine.
What you need to do is make that access public to the internet, what you need is to broadcast your existence(internet protocol address) to the web. Thus making a public hub, in short, Local-tunnels allows you to easily share a web service on your local development machine without messing with DNS and firewall settings.
By tunneling your local machine to web , anyone with the assigned IP address can access your machine(database) over any connection,not just LAN or WI-FI. There are many options to choose from, There is ngrok,which exposes a local server behind a NAT or firewall to the internet.
Features are,
Don’t constantly redeploy your in-progress work to get feedback from clients. ngrok creates a secure public URL (https://yourapp.ngrok.io) to a local webserver on your machine. Iterate quickly with immediate feedback without interrupting flow.
Test mobile apps against a development backend running on your machine. Point ngrok at your local dev server and then configure your app to use the ngrok URL. It won't change, even when you change networks.
Building web hook integrations can be a pain: it requires a public address and a lot of set up to trigger hooks. Save yourself time and frustration with ngrok. Inspect the HTTP traffic flowing over your tunnel. Then, replay web-hook requests with one click to iterate quickly while staying in context.
Own your data. Host personal cloud services on your own private network. Run web-mail, file syncing, and more securely on your hardware with full end-to-end encryption.
Its really great, however there is a side note, because this procedure opens up your local machine and renders it IP accessible on the internet, many different security challenges arise, so it is only recommended for testing purposes with none sensitive data.
Hope this helps:)
I'm thinking develop android application,Where is s/he?.
If client 'A' request location of client 'B',Server connect client 'B' and get gps location of client 'B' and server response to client 'A'
Application should work in background but should not force hard to mobile device.
There should be no trafic between client and server if there is no request. Traffic should be if there is request.
Like Skype or whatsup,you can connect client everytime you call or sending message If client is on internet so that my application should work if both users on internet. İf requested client is not on internet then application should send latest known position.
For these porpose,Which protocal should I use? Http(I think no),TCP ,XMPP or android bound service implement my methodlgy?
How do I implement my applcations methods?
thanks
I do not want to offend you, but I think you should start with the fundamentals of android development and distributed systems.
However, here is my answer:
You could use HTTP, but better use HTTPS to be sure, that data is encrypted between the server and the client.
If I were going to create such an app, I'd write a small application on the android device which transmits the position of the device, together with a unique id of the device (probably the IMEI) to a server, encoded in a HTTP(S) request.
Using HTTP would have the benefit, that you could use many different languages on server side, for example PHP (would be my choice, but you could use others).
On the server side you would need to put the recieved data into a database or some other storage.
From there it is your choice what you are going to do and how to present the data. Maybe making a small website?
Regards
Me
I am in need of some help here.
I want to make an Android application that eventually syncs to a web server in order to get information (i.e. user can write a note through the website, and it automatically syncs to the phone).
I am aware that I would need some web servers and hosting, and don't know too much about that so I will look into it later.
MY question, however, is how I can simulate this over a local network?
As in, if I create a basic webpage that has a two text boxes (one for name, one for content) and a 'submit' button, if I run it via localhost WHAT methods can I use to get this information to sync to my handset?
If anyone could be kind enough to give me a laymens terms breakdown it would be seriously appreciated, I feel so lost!
You have some alternatives to achieve what you want, here is a traditional one:
Start with installing XAMPP and run a local server
Write your web pages, store the data in mysql
Write PHP code to extract the data from mysql
Use Android HttpClient to call your PHP
There are other alternatives:
Use the same method but instead of PHP write HTML5 and you have a mobile WEB application
Check out the GCM Demo Application
Check out Google App Engine
Check out Amazon Web Services
There are others
Enjoy :)
Yaron
When you use localhost (meaning you install a server package such as Apache / IIS / XAMPP / WAMP in your computer), your machine becomes a server. So, you can access the localhost from any device which is in the same network.
Say you have a computer connected to a WiFi router. If you setup the server i.e. the localhost in that computer and a laptop and a mobile phone is connected to the same WiFi router, the phone and laptop will be able to get service from the computer.
To access data stored in the MySQL server from the other devices (e.g. the phone), you have to write proper service. Else, you can write a mobile web app in the server that accesses the MySQL data and just access it from the device.
I see many people trying to connect an Android device directly in a database like SQL Server or MySql and the answers are always the same: Use a web service. Why not connect directly an Android device with a database? I'm using a local network with my Android application.
There are a number of reasons.
Security- If the user has direct access, they can get anything from your database. Plus they will have a password into your database. As a result, if the SQL server you are using has a flaw, then they can exploit it. Also, if your permissions are set up wrong, the could wipe your database.
Speed- If the users frequently use large queries, then it can bog down your system quickly and needlessly. If you go through a web interface, you can throttle it.
Accessibility- Web queries are supported by almost everything. It requires special clients to access SQL databases directly.
But if you trust your users completely, have the right libraries/drivers, then you could allow direct querying, and it might even be a bit quicker.
If your app connects directly to the database server you have to hardcode username / password which is very insecure. With some tools an attacker can decompile your apk and can access username / password in this way and can connect to your database with read (+write) access without using your app.
Another reason not to access database directly
Problem If you changed database architecture.
you have two solutions.
1- in direct access you will need to update every Client app
2- using service you only need to upgrading the service.
The reason is the connection
You're not sure how many time you'll have to maintain this connection, if it's stable and if you're not going to lost it
Secondly, web-service are optimized to retrieve an information and serve it beautifully with standarts. You can also cache the informations to spare your DB
I came across a few tutorials online explaining how to connect to MySQL from an Android app, but they are a bit surface.
If I just write SQL and send/receive it in a POST, it seems problematic for a few reasons:
1) Hardcoding SQL with obvious issues there
2) Security concerns about sending sql - is that safe to send that request? or should it only be done via SSL?
3) To connect to the db, in order to insert things, I need to have the db connection info inside the app - is that safe? Can the code be read by someone hacking the device and the apps?
What is the best way to go about connecting and using a remote db from an Android app?
Thanks!!
Wrap everything in an API and manage authentication either with encryption with public/private keys or with a token-based system. You should never, ever, ever accept raw SQL in any way, shape or form from any device or site. Most often if you need live, remote data to run you should reconsider your application workflow and work off slightly stale data or provide the information in the background due to the possible spotty connections. Hitting even an API can be a costly endeavor so it shouldn't be something that has to occur frequently.
To incorporate some of the ideas above you could a couple things. For the public/private key read up on http://en.wikipedia.org/wiki/Public-key_cryptography. The basic concept is you store the public key on the device then negotiate a private key after the installation of the application that is also stored on the device (although not coded into the application). This key is the one you have to protect so it should be negotiated on installation and stored with the lifecycle of the application. You could contact an API with a unique hash of the device (say the device ID) and a password that the user could set. In that way if the data is wiped, since the password is stored on the server you can validate that a request to generate a new key is valid for that device ID and also protect against attackers trying to disrupt everyone's keys.
Obviously this is still susceptible to someone intercepting the initial request but if you are using HTTPS (which you should) then it should mitigate most of these issues.
You have to make sure an attacker just cant send in random device ID requests to generate new keys as it would disrupt the actual user's device of that hash, which is why the password set is important. Of course they could also do this against device IDs not currently registered but you could easily implement throttling and blacklisting against the initial API.
There are many things you can do but depending on your sensitive data it may be overkill. You'll have to make that judgement call and figure out who you are trying to protect your data from.
Use a webservice through which to communicate with the database. End User clients generally do not communicate with the database over the internet. Multitier_architecture