I can edit JavaScript and HTML to modify data which is going to server in web, which cause many things Can someone edit javascript file offline to run malicious code?
But I want to know is it possible in the case of mobile Applications?
Simply can Cross-Site Scripting happen in mobile Applications?
I have applied SSH and I have applied session in server, is it not enough?
Yes they can which is why you need to guard against crafted input on the server.
A simple case would be a post of a form with data that should be numeric. If the validation was only client side, your server would die if someone crafted a response, which is why any validations should always be implemented on server.
The Mobile application servers can be prone to hacking and malicious request attacks as the requests can be modified and sent during the transmission. Simple but not much effective way is to encrypt the response generated by the application before the generation of the actual response/request or End to End encryption this might give security against the sniffing attacks.
For details refer : http://polyarista.tripod.com/
As long as the attacker cannot add his own piece of Javascript code, I think you are safe. Applying SSH and session in server might save you, but you might want to run some penetration tests to be sure.
Related
I am using my own computer as database server and for a simple example; i want to save users registeration informations and check these informations while a user logging in. I am using apache,php and mysql. In order to check users informations I allowed all ip addresses to access my database server. I think this is obviously wrong. What is the true way to accomplish my goal? Which tools should I use?
Yes, it is indeed a little more complicated than allowing everyone to the database server, the problem is not exactly that you are allowing all ip addresses to access the server but what everyone is able to do is the real problem.
Apache, PHP and MySQL is very popular for setting up a database server but it is certainly not the easiest and most secure method if you don't have previous experience setting up this kind of servers
There is alternatives such as Node and Mongo DB which makes the Database Server setup a-lot easier and the documentation is much simpler than using PHP, Apache and MySQL
This is definitely up to you
If you want to continue setting up your server on this enviroment there is a few things you have to consider
Encryption
Brute force attacks
URL manipulation
some other PHP security gaps
You probably want a good encryption for your database using AES from 128 to 256 bits is one alternative
Brute force attacks is when someone want to access your database trying alot of passwords per second, you can prevent this kind of things using PHP
URL maniplulation is tricky since you have to setup "permissions" for each new route you create for example www.mywebsite.com/admin/importantstuff.php should only be accessed when someone is logged in as admin and similar scenarios
There is alot of this covered on this Guide if you follow step by step you should have a pretty solid server up and running
Or you can also see some documenation for MongoDB and you can have a server up and running in an hour or so with most of the security already taken care of, just don't forget to change the root password!
Create a secure login PHP, MySQL
Prevent PHP and SQL vulnerabilities
MongoDB Introduction
Avoid malicious attacks MongoDB
Hope it helps.
I'm developing an android app where I would like to fetch some data (mostly text) from the internet but not necesseraly from a website! I would like to have a server that allows clients to fetch some text data. What kind of server fits my goals the best? Http or maybe simply tcp? I don't know much about http so I don't know if it matches my goals and/or if it handles well a kind of text "database".
Edit:
A use case could be: people could write comments and send them to the server. Then clients could refresh their app by fetching new comments from the server. Therefore I'M asking what kind of server could best handle services and kind offre database if needed.
I like using NodeJS in combination with ExpressJS for such purposes. This combination allows you to easily work with HTTP/HTTTPS which is allowed by practically every firewall or proxy server. As of the latter reason I recommend you to use HTTP instead of an own protocol. Furhtermore, Java offers the HTTPURLConnection client which is very easy to use. Moreover, securing traffic with TLS (SSL) is very simple. In addition, NodeJS is resource efficient, runs on Windows, Linux and even on OS X.
For getting the text you can use HTTP GET request handled by the get() method of the Express instance.
This compact tutorial helped me to get familiar with Express on NodeJS.
Without knowing what your use-case is it's difficult to make a good recommendation.
With that said you may find something like https://parse.com/ suitable.
They provide an Android sdk and the 'getting started' tutorials will have you up and running in no time at all.
I want to make an app on Android using MySQL.
I'm new here, so I first see many other's app design. I find one thing is that if they have to use database, they often use RESTful design, defining some API for HTTP protocol for client/server side communication. And then, there're lots of things to do, like: mapping resources into url, sending/recieving doGet, doPost,.. requests.
But I don't understand. This is an app develop, not a web develop. Why do they have to make an app so much like a web? If I don't want to use phoneGap, HTML5, .. that kind of HTML-based develop, I want to write a native app. And I still want to seperate client and server end in my code, my server side could communicate with MySQL, and my client side display it to user, and they're all written in java. Since they're all java, so I got a native idea:
"why don't I call my server side code directly from my client end?"
Since it's all run on an app, there's no necessarity to map it into a url for user to access. But as I observed, most of people don't do this. So I want to know why they donnot make their app the way I think? Is it for security concerning? Or to reduce debug difficulty? Or for later expansion to other platform like iOS?
I want to know why they choose HTTP based client/server communication.
It's not just about security, because in either way you'd be setting an external Socket to the destination, but also because there's no native way to communicate between you app and MySQL. The most common approach in this way is using a web-service, where you'd implement a HTTP server with some code in your favourite language (PHP, Python...) that would process your requests made by your clients and process them accordingly. This third-party script would communicate with the database.
If you finally choose this approach and you're concerned about security, I'd choose some asymmetric encryption algorithm as TLS, where you could encrypt your messages with the public key and decrypt them in the server side with the private key.
You can share the public key with no concerns, you can simply embed in your code, but you could also put it in your web-server and make your clients download it each time they connect. This way, if some day you change it (because of a Heartbleed situation, for instance), they'll always have the current public key; otherwise, you'd need to update your app if you hardcode the public key in your code.
Some useful links:
Android Encryption with the Android Cryptography API
Create SSL-Socket over SSL-Socket with Client Authentication
How dangerous might be publishing a public key?
The app does not use login username/password feature.. assume whatsapp, or viber.
Howe do these devices make a secure connection to the server and fetch the data, in a way, that even someone else, found out the POSTed data and used them, can not get the info ?
I am using HTTP.
It's a PHP server.
This question is kind of open-ended. Secure communication is often device-independent, based on the protocol stack in use.
From lower- to higher-level:
TCP connection: It may implement SSL.
HTTP protocol: It may implement HTTPS.
GET/PUT operations: You may implement reversible encryption on your payload, like Rijndael. This way, if someone actually gets the POST data, it may be unreadable without the proper decrypt function.
Of course you may combine encryption implementations. Just remeber that you may be adding considerable overhead to the whole process.
I am very new to writing apps so please bear with me!
I am writing an app that needs to communicate securely with a java server (under my control).
Firstly to login to the server, and then send data back and forth. What is the best way of doing this?
My first thoughts was to communicate to a webpage via ssl with the username and password. e.g. login.php with user=xxx and pass=zzz as posted variable. The site returns a random string and saves it in the database.
If the user then stays logged in, this string is saved on the app. This is then sent with every communication. e.g. set_temp.php with string=123456 and temp=20
This seemed easiest to complete, and I have done most of this.
Alternatively, my other thoughts was to go through a sockets approach and commumicate with the Java server directly. Would this be more secure? Is this even possible?
Or are there any other suggestions? How do the big apps like facebook and gmail secure data?
Thanks
Matt
Use SSL protocol. You can create API services on the server and communicate with them. To keep the user logged in use SessionID. Take a look at DefaultHttpClient() class.
I hope this is useful :)
I would use a webservice on your java machine to communicate with. All requests are via HTTPS and you can login the user via the webservice. Also I would add a time limit to the users loggedin session to ensure that he is logged out properly after some time limit.