I am learning how to build android apps. I'm building my first app using PHP and Java, i'm passing the values from Java to PHP using parameters.
localhost/myfile.php?id=GET ID FROM JAVA EDITBOX&name=GET NAME FROM JAVA EDITBOX
I'm inserting and updating using this method.
But i'm afraid about my app security, how can i hide my links? I would like to insert some security technics to prevent a common user from having the access to my links, and insert random data into my database.
I'm sorry about that noob question, but i would like to read more about that.
how can i hide my links
No way because APK file can be de-compiled
I would like to insert some security technics to prevent a common user
from having the access to my links, and insert random data into my
database.
You are allowing Un-authenticated users to insert the records??? If you are doing this, you are doing it wrong (I think)
You should allow Authenticated Users to Insert/Delete/Update records and
Un-authenticated users can Load data only.
Some Security Practices:
Authentication (Login) / Authorization (Permission)
Don't trust any data sent from client --> Data Validation at Server side is required
Use Asymmetric encryption - Public/Private key
Encrypt your data at client side using Public key
Decrypt the data at Server side using Private key
Apply Digital Signature OR MAC (Message Authentication Code) to make sure your data is Integrity & Authentication
Https used
Related
trying to build an Android and Web client that has Parse.com as a backend. User has to be authenticated first to log into the app. If someone gets hold of the Application keys, client keys etc. he can access the app without the authentication with Rest calls. How can this be avoided to restrict the Parse Query to return results ONLY with a user session? Looking for that security measure.
All the Parse Application and client keys (except for the master key) are considered public information and NOT secrets. This is clearly mentioned in the Parse documentation. There is no way to hide them and they will be part of your app/website and they can be easily retrieved by any user. This means any data in your classes with Public read access can be retrieved by anybody.
Parse lets you control the data read permissions ONLY via Class Level Permissions(CLPs) and Access Control Lists(ACLs). If you think these solutions cannot give you the security measures you are looking to implement, you have to disable the public read access to your data completely and implement your own Cloud Functions to retrieve the data from server. This way, you can test the user credentials, permissions, etc before returning any data.
I should develop an phonegap application. I need to encrypt my requests to the server side and then decrypt.
HTTPS is not a solution, because I need to sign requests to be sure that the data is not fake. I can use any async cryptography (the app will generate private/public keys and will send public key to the server). But this way I need to keep my private key on the device.
The question is: how I can keep private key on the device securely?
I can use sqlclipher (to encrypt my local SQLite DB) and integrate it into my phonegap app. Great, but here I have to keep secret key for database :)
var db = window.sqlitePlugin.openDatabase({name: "DB", key: "secret1"});
Any one who have access to the phone can get this secret key. So here I have the same issue:)
Please, give me any suggestions.
Thanks!
p.s. app for iOS and Android
You have to differentiate between encryption and authentication.
First, I suggest to use https to encrypt your messages and transfer them securely.
Second, I suggest to use HMAC for authentication of your messages. It basically works like this:
Generate a secret string known to your app and the server at compile time. You store this secret directly in the source code of your app so it is never transmitted to or from the server. This might be the main difference to your private/public key approach: You compile the secret right into your app instead of writing it later in some user accessible storage. "Right into your app" means in the case of Phonegap NOT in your HTML/JS files but in the native source code! You have to bridge the accessor to javascript if necessary.
Set a user id (=key; long, random!) in your app when the user starts your app for the first time. If you want to authenticate your users, you probably have some kind of login/password mechanism. (Store the user id as well as an HMAC generated from the user id and the shared secret on the device. Every time you read the user id, check it against the hash to be sure that the user id was not spoofed.)
In your App
Include a user id in every message.
Include a timestamp in every message.
Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret.
Include the hash value in your request header.
On the server side
Check if the timestamp is valid, e. g. not older than 2 minutes or so. This prevents replay attacks (at least after 2 minutes).
Check in your database if the user id is valid.
Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret. Including the request URI prevents people to send the same valid request to another URI on your server; e. g. in REST environments it is a big difference if you send the same DELETE request to /comment/1 or /user/1.
Compare it to the hash value submitted in your header, they have to be equal.
If any check fails, send an error. Otherwise send the response.
There is a chance of getting the shared secret and information about the way how you calculate the HMAC hash by decompiling your source code. I see no way to avoid this risk. ...without diving deeper into native development:
iOS Keychain
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html
Android security features
http://developer.android.com/training/articles/security-tips.html
By default, PhoneGap does not provide the feature of encryption on its own. Devices based on iOs and Android(above Gingerbread version) support full-disk encryption. But this is not available to PhoneGap/Cordova developers.
From the wiki:
PhoneGap is generally limited to the security features of the platform
on which it is running.
Refer to https://github.com/phonegap/phonegap/wiki/Platform-Security
For some JS based solution, give a try at http://code.google.com/p/crypto-js/
I am building a android application within flash builder, that will allow clients to use and access the database within the application, but blocking outside.
The case is to take an encrypted database(to stop client from accessing the information, outside the application), a password (to be hidden from the client) and upload it to a server. Of which the server will be able to use this password to decrypt the database, then I plan to use PHP to manipulate the data.
What would be the best possible way to securely pass the SQLite database and the password in the upload phase?
Use HTTPS for communicating with your server. That will automatically encrypt all traffic. Also keep in mind, that if the client (user) can access the data from the application, and the data is on the device, there is little you can do to keep them from copying and accessing the data outside of your app. As long as the password/encryption key is also on the device, all it will achieve is slow them down a bit.
Create a http API that your application will use. This API will enforce which operations are possible. So the client never sees the DB password, encrypted or not.
I don't really get what you're encrypting the db for. Are you trying to protect against the case where the server gets hacked?
Now other applications will be able to use this API, and it's impossible to stop them. You can just throw as much obfuscation at it as possible, and hope that crackers are too lazy.
Im using MySQL with PDO PHP scripts to maintain a user database and a highscore database.
When a user obtains a new highscore in the Android app, I send it to the server:
https://domain.com/phpscript.php?user=username&newhighscore=highscore
In here username and highscore are variables. Every web browser can access this url. If anyone decompiles my app they will know where my database is located and they can fake their highscore. Obfuscation and encryption for the url is probably not an option since they can always be reversed.
Is there any way I can protect these URLS so ONLY my Android app can access these pages, and not just any browser?
If a call to https://domain.com/phpscript.php?user=username&newhighscore=highscore is all you need to update the highscore for a user, you are in deep sh*t.
You need some sort of authentication - which is what you might mean with "ONLY my Android app can access these pages", here are a few ideas:
On first start of you app call another script to facilitate exchange of some token. Store this token in your app and in your server-sided DB and use it as a verification token, e.g. https://domain.com/phpscript.php?user=username&newhighscore=highscore&salt=abc&auth=xyz with abc being a random salt and xyz something like hash(encrypt("user=username&newhighscore=highscore",key=token,iv=salt)+salt)
use the phone ID as part of the authentication scheme
I am creating an app that requires the user to register with a remote server, but I want to hash their password before sending it off to be stored in my database.
I tried using the jBCrypt library, but it created a long hang time while hashing. Are there any other alternatives? What would be the best (and safest) way to hash the passwords without creating a noticeable hang?
Your approach seems to be wrong. Unless you have some special requirements, the usual way to do this is the following (not Android-specific, for any web application):
When the users register, take their password, hash it (using a random salt is also recommended), and save it in the DB. That is done so you don't save the actual password in your DB.
When the user needs to login, you send the actual password to your webapp (use SSL to avoid sending it in the clear), not the hash. On the server, you apply the same hashing algorithm as in step 1, and compare the result to what is in your DB. If they are the same, the user has provided the correct password.
In short, you should do your hashing on the server, not on the Android device.
Avoid saving 3rd party passwords at all cost. Saving them is considered a form of phishing. Try to save an authentication token instead of a raw password that you can get using a method like OAuth.
If you do need to send a password to a database on a webserver, just use HTTPS. This will ensure safe encryption over the wire. Then you can encrypt the password as necessary in the database. This method also ensures that your encryption mechanism is not on the device itself which can be more easily compromised.