I want to ask about the security of web application.
I'm developing on web site for an inventory management system by web service.
And wrapping as android application with the webview.
But my client ask the website can be opened in android application only.
I think it is possible with agent header when web server response to request.
But it just a makeshift.
So is there any way to check the website is opened in browser not authorized application?
I used spring boot for web server.
This is not possible. Once you expose an endpoint publicly, you can always try to connect to it with whatever software supporting the protocol (or an analyzer which will reverse-engineer the protocol).
This said, you can make it difficult by obfuscation.
One solution is to use information provided by the client (browser in your case). This is usually the agent header (as you mention) but can also be some fingerprinting. You could for instance detect the size of the screen and make some decisions from there on.
Another solution is to use some secrets (better call them "secrets") to show the backend application (or API) that some specific code is calling. I can imagine that you could bundle the HTML/JS/CSS code in your application, together with a key so only the application owners will be able to send a recognizable traffic (recognized by the backednd).
All of this is more or less difficult to crack but with some layers you will get rid of at least some population which would like to access the site via other means than an app.
Related
Please forgive my (perhaps naive) question, I am still a beginner!
I have a website on asp.net core that is essentially a CRUD website. There are some Razor pages and some controllers. When the user is logged in, they can create and update the data they own (through javascript and said controllers).
Login is organised via Cognito's built-in UI. I redirect the user to it with the [Authorize] attribute on certain controller actions. The token (I think this is what it's called?) coming from Cognito is automatically stored in the browser cookie and is passed between the browser and the backend (controllers and Razor pages). In the backend controllers and Razor pages, I have very convenient methods like User.IsAuthenticated(), and can get claims and fetch cognito:username and similar fields.
The website is working well enough.
I am now working on native mobile apps (Android and iOS), and I am wondering how to deal with authorisation in them as well. I want the user to have the same experience in the mobile app as on the website: they would log into the mobile app and see and edit the data they created earlier on the website, and vice versa. I'm not sure how to implement this correctly. I see several options:
Option 1. Use the AWS amplify framework in the apps. I am sure it will work nicely; but how will I then pass the token to my backend controllers? Asp.net core needs it to build this User object, I understand. I think asp.net core stores it in the cookie appropriately named .AspNetCore.Cookies, but I'm not sure as to its format and whether it'll stay stable in the next releases?..
I'm currently reading about JWT bearer tokens, maybe that's the thing that should be used instead of .AspNetCore.Cookies?..
Option 2. I could "pretend" that the mobile app is the same as the browser and send exactly the same requests as my web frontend does. I suppose this sounds very complex - I'd need to store cookies, follow redirects (to the cognito built-in ui, for example) - I don't know if there is a built-in mechanism? However, in this case the app doesn't have anything to do with cognito, talks only with my backend, and is just following redirects. AppAuth states that Authorizing the user occurs via the user's web browser, so perhaps it can be used here?
Perhaps there are other options that I overlooked; I'm almost sure there is a simple solution I just can't see at the moment. Sorry it's all over the place, this is a very new topic for me. Thank you in advance!
I am developing a voting application based on Android. This app will be used to create user accounts, receive notifications and caste vote.
I want to develop a back-end server for this application which will also have an Administrator interface to create new voting events. I want to know what all options I have to implement this project.
The server must maintain user account records in a secure manner, send out one-time-passwords from email, have sessions implemented for users logging in from the Android App, send out notifications about upcoming events to the app.
What back-end technology, database, parsing(for communication between server and android application), encryption(for secure communication) should I use to make this possible?
I also want to know how would I be able to host this server, both on a local virtual machine as well as on an online hosting.
The scope of your project is far too large if you're wanting sessions, administration views, E-mail integration, encryption, etc., without even knowing how it would all interact, or even what language to use.
As for what languages / services you would need, it varies for each task:
For administration views, you're probably looking at either ASP.NET or PHP with a CMS.
In terms of security, you'd want either MySQLi, or preferably, PDO. Make sure to read up on how to prevent things like LFI, RFI, SQLi, and XSS if you want semi-decent security.
Both ASP.NET and PHP can handle sessions, and they're fairly easy to understand in either language, so that wouldn't be too much of a concern.
While you can send out E-mails directly using scripts like PHP's mail() function, you probably want a system that can easily monitor things like how often users click on certain links, where the people who click the links are located, what campaigns are most effective, etc. For that, you'd want a service like MailChimp, Marketo, or Pardot.
As for how to have the back-end interact with the front-end, you're working with Android, so you're probably working with Java. That means you would be limited to functions like HttpMethod. Having said that, you can create plain HTML applications, or use a service like PhoneGap. In either of those situations, you have AJAX at your disposal, which will make things a lot easier.
For hosting, simply do a Google search for 'web hosting service'. There's literally thousands of decent hosts. Some have better pricing than others, but some have better features. I can't really recommend any brilliant ones, as they all meet different needs. To host locally, you'll want either IIS, or WAMP / LAMP depending on whether you are running Windows or Linux.
If you're not familiar with almost every term that I've mentioned, then the scope of your project is too large, and you'll definitely want to scale back.
I don't mean to scare you off, just making sure you're aware of just how difficult it would be to put all of that together :)
I am new to Android and taking the risk of doing a final year project of building an Android app. I would like to know whether I can create Client-server architecture application in Android. I'd like the front end to be the mobile app. Also, where do you store data (I don't know where to store data exactly) at back end.
Use Restful web Services with json(Ex: WCF in the backend with Sql Server)
For Mobile App, These are useful tutorials http://developer.android.com/training/index.html,
http://www.vogella.com/tutorials/android.html.
Very many, if not most, existing Android apps retrieve data over the Internet and display it (e.g. the StackExchange, Yelp, or Facebook apps). They are clients requesting data from servers and therefore fit into the definition of being “client/server”. I'm hard-pressed to think of an app on my phone that isn't a client to some kind of web service.
If, as your question suggests, you are using HTTP for client/server communication, there is no reason why the client platform (Android) should have any impact whatsoever on the server-side implementation. In the wild, Android clients are served by servers implemented with every conceivable combination of OS, language, and database. Therefore “where do you store data?” is an unanswerable question, as the answer depends entirely on implementation choices that you make on the server side.
I am building a webapp that cannot be put into the app store (security reasons). The webapp needs access to more data than can be held in localStorage or other offline-storage means (let's say up to 1GB of data).
My idea of a solution is to code up an HTTP server for Android and iOS, and then get/post data with AJAX so I can have access to the device's internal storage.
My question is,
Can this be done on iOS and Android?
By 'Can', I mean both technically (is there API access to the required components, and can it be always running in the background) and legally (is it consistent with the terms of service of both the App Store and Android Marketplace).
I don't know much about either platform and the capabilities, but I could figure it out if I was confident that it is possible.
The reason for this is so that large amounts of data can be made available all the time to a webapp, regardless of the presence of wifi or a cell-tower.
Yes
Android examples: How to create a HTTP server in Android?.
iOS examples: iPhone HTTP Server.
For a full app that uses an http server, check out Websharing on Android.
I have been asked to write a mobile android app to interface with a website. When pulling content from the site, I don't think scraping the site would be very efficient. I would like to interface with the database. Think of the scenario as facebook mobile app interfacing with the facebook databases that fuel facebook.com (so there's a mobile app, a web app, and a database in this equation). Would I just create a db account for the mobile app and then every phone using that app would use the same database account (This sounds like a terrible idea imo)? The user will be asked to authenticate in the app before they can start getting information from the it.
In general you don't want to be accessing the database directly via the phone (if that is even possible). The more standard way with mobile clients is to build a set of RESTful APIs that you can invoke via normal HTTP GETs and POSTs. These will present the data in a more lightweight (JSON, XML) way to the app, so that the "decoding" effort is reduced. Authentication is done via standard HTTP AUTH. That's the short version.