I'm a web developer who is moving into creating mobile (iOS/Android) applications.
As such, what I'm trying to understand is how should I architect the mobile application to access (post/update/delete) data stored on a central server.
For illustration purposes, let's say I am creating a mobile Recipe application (named "MyRecipeApp"). Some recipes I want to share with other recipe users of MyRecipeApp, and some recipes I want to keep private to myself.
In order to share recipes, all recipes (both private and sharable) are stored on a centralized (server) database and the MyRecipeApp accesses that database to fetch that information.
As such, I have a few questions:
With MyRecipeApp, how do I access the database? Do I make my database publicly accessible to that MyRecipeApp can talk to the database? If so, that seems insecure.
Do I hard-code SQL into MyRecipeApp (e.g. SELECT * FROM RECIPES WHERE USER = "John Smith") to access the database to fetch recipes? If so, that seems insecure in the sense that someone could just hack my mobile app and change the SQL to fetch any information.
Do you send the users username/password with each fetch to the database? If so, how are you encrypting the traffic between the database and MyRecipeApp.
What else am I not thinking about in how I should be architecting a mobile application?
Connect through an API (perhaps restful HTTP API).
Don't hard code SQL. Instead, make API calls, passing parameters.
Yes, send authentication information with every request and use HTTPS, or send username and password on first request only and get a session token and use that on subsequent requests, but still use HTTPS.
Consider sending and receiving data in JSON format.
Related
There is already a portal system which is based on the web, and allows the teachers to enter the attendance data. But it takes extra efforts from teachers to write it once on paper and then to update the data on the server.
I am developing an Android application. This app facilitates the teachers to take attendance of students on mobile itself, then upload it to the server, hence reducing the use of pen and paper. Firstly it asks the user to sign in, then it displays the options of various semesters + sections + subjects which are fetched from the central server.
Now, I know how to make the application, I know MySQL.
I want to know what kind of structure is required to make such an
app
How do I connect my app to the local server ?
Is it necessary to use some web based data storage ?
Because I have not enough repotation to comment. I would advice you to use the retrofit libary. It makes rest communication easier. You can include it with gradle and it has many tutorials available.
you will have to use sqLite for local data base in android. you can refer official tutorial for examples
It is not required to use web based data storage as long as you are fine with data being in device itself.
We have an Android application which stores its data in a local SQLite database; primarily for performance, but also to allow for working off-line (as we are often in areas with low signal).
At the moment, the data is stored in encrypted format (passed down from our web servers), but this in itself causes a performance issue, where for example, if we want to search records for a particular "surname", we need to decrypt ALL of the data, rather than using a straight SQL query, to include where surname='Smith'
We cannot (as it currently stands) store the data in a more friendly 'open-format', as it's possible to 'root' the device, take a copy of the MySQL database, open it and read the data.
Is there the means (perhaps someone can provide an example) to either password protect the local SQLite database or somehow apply encryption, so that we can (from an application perspective) have the database available in open format, but so that if any would-be hacker got hold of the device and rooted it ... they would have a hard time reading our data?
I have searched for a suitable solution and cannot find any options for the SQLite database, any 3rd party software or any examples of code that do this.
SqlCipher, this will might work in your case
Remote Storage:
Your data is sensitive and needs to be accessed by the user on the go from different devices. If your app is a good one then the above line will hold true.
Security + Remote access from any device says you maintain your dB on a remote server.
Your flow can be :
User login --> Token --> Auth Token in every call --> Process request and get/put data in/from dB
Local Storage:
Let's say that you only want to store data locally and don't want to store it on the server. For this you can use public-key cryptography
You can use a public Key in your app to encrypt the data and store it. Now, you want to access the data. Request the private key from the server and decrypt it.
Again, to get access to private key you should use some form of authorization (or anyone can access your key).
Without the private key, even if a hacker roots the phone and gets his/her hands on the dB, the data would be useless.
i have an app that has about 20000 data . these data are locally is beside app in sqlite database. i couldn't place data on web because i using map and markers and i feel will be slow in processing. so i have to use local data instead of web.
how can i secure these data in android? additionally i have any web request to a webservice and web database for other works. how can secure sent or received data? i hear about sqlcipher but i don't know how does it encrypt and secure my data. if you can tell me about secure best practices please.....
with thanks...
Just some ideas.
To secure android data in the SQLite database the only and best way is to ask the user to create a password. This password will be used to encrypt data before you store it in SQLite database. Thus if someone steals device they cannot even with root access read the data in SQLite database.
For web services use SSL certificates to encrypt data flowing up and down. This is a rather big topic though. If you are serious about this I would suggest buying a copy of this book called Application Security for the Android Platform: Processes, Permissions, and Other Safeguards .
I want to insert, update, show records from an android app to a database (online) which will be installed on an android mobile.
So,my question is; which database is perfect?
MySQL
SQLite3
Any other
It's impossible to use MySQL in Android. Other SQL types neither. The best way is to use a MySQL database and get the information via PHP. Encode it to JSON in PHP. You can get the Web page in Android and decode it in Android.
Is mysql db is network database
MySQL (like many other database servers including Postgres and Oracle) can be accessed either through a local socket or via TCP/IP. (You also mentioned SQLite, this is a file based database and does not have a network server AFAIK).
There may be libraries for Android that implement a MySQL client, but a few minutes with Google didn't turn any up for me.
Generally speaking, network access to MySQL should be limited to private networks and not end clients anyway.
If you want to access a database from a client application over a network, you are usually better off by building an HTTP based API (preferably one that is RESTful) and letting the client software connect to that. This gives you more control over what clients are allowed to do with the database.
You can build such an API in just about any language you like. If you are working with Android, you might prefer Java. My preference would be Perl. Python is a good option, etc, etc.
which database is perfect?
Nothing is perfect. Giving a recommendation for a specific database would be drifting into "Not Constructive" territory, even if you were more specific about your requirements.
MySQL
Server: db4free.net via TCP/IP
Server version: 5.5.12-log
Protocol version: 10
User: alan89#88.198.43.24
MySQL charset: UTF-8 Unicode (utf8)
Web server
Apache/2.2.14 (Ubuntu)
MySQL client version: 5.1.41
PHP extension: mysqli Documentation
This is my online database and the name is imammuda. In the database there is a table named "Testing".
Now, I have 2 applications which are admin and user. Admin needs to login into the database server then update data, while user just retrieves data or tables from the server.
I was stuck here at how to code the bridge between Android and server.
Well, if you need to communicate directly with the database you can use the MySQL JDBC drivers: there are many many many security problems with embedding direct database access into your app, but that WOULD work (longer dialog at Is it sensible to connect a desktop client directly to MySQL?). You would need to pass the username/password into the app and then you can just use regular JDBC code to talk to the database.
Alternatively you will want to implement some form of HTTP web service to mediate access, perform the necessary data verification and do access control. That is honestly a longer discussion than can be performed in a single answer. As a number of other potential answers describe you will need to look at using HTTP client. Also, you will need to implement a web service in a convenient language: you can see a detailed discussion about writing a database access web service at Writing data into a database using a fully REST web service.
EDIT: interesting option might be http://htsql.org/