I have a web-based Android app that uses WebSQL for storage. For some reason, calling openDatabase at one point (in response to a button click), causes a DOMException with the message "SECURITY_ERR: DOM Exception 18".
Note that I am not using PhoneGap.
The main question I'm asking here is: What are the possible causes for a DOMException 18 on openDatabase?
Some more details:
This exception only occurs if the database does not exist yet. If it already exists, it works as expected. The function that makes the openDatabase call is used in another part of the app and works just fine.
What I've tried so far:
Reducing the size of the database - shouldn't be an issue since it's being created by another part of the app.
I've checked the external storage permissions - again, shouldn't be an issue.
I read somewhere that the USB cable being plugged in could cause this issue - not what's causing it in this case.
EDIT:
This is what the command looks like:
db = openDatabase('my_database', '1.0', 'My database description', 5*1024*1024, function() {});
I found that it has to do with the allowed size of the database.
If you try to open a db that is larger than 50mb on iOS, you get this error.
According to the spec the spec , it cause by only two
The user agent may raise a SECURITY_ERR exception instead of returning a Database object if the request violates a policy decision (e.g. if the user agent is configured to not allow the page to open databases).
If origin is not a scheme/host/port tuple, then throw a SECURITY_ERR exception
Related
I had implemented Google Native Ads as given in Native Ads
It is working perfect in all devices except Android 4.x version. The crash log in console is
Non-fatal Exception: java.lang.IllegalArgumentException: Optimized data directory /storage/emulated/0/Android/data/com.myapp/cache is not owned by the current user. Shared storage cannot protect your application from code injection attacks.
at dalvik.system.DexFile.(DexFile.java:100)
at dalvik.system.DexFile.loadDex + 149(DexFile.java:149)
at dalvik.system.DexPathList.loadDexFile + 251(DexPathList.java:251)
at dalvik.system.DexPathList.makeDexElements + 219(DexPathList.java:219)
at dalvik.system.DexPathList.(DexPathList.java:96)
at dalvik.system.BaseDexClassLoader.(BaseDexClassLoader.java:56)
at dalvik.system.DexClassLoader.(DexClassLoader.java:57)
at ir.b + 31(ir.java:31)
at ir.a + 5(ir.java:5)
at iu.a + 1(iu.java:1)
at com.google.android.gms.ads.internal.ag.run + 5(ag.java:5)
at java.util.concurrent.ThreadPoolExecutor.runWorker + 1080(ThreadPoolExecutor.java:1080)
at java.util.concurrent.ThreadPoolExecutor$Worker.run + 573(ThreadPoolExecutor.java:573)
at java.lang.Thread.run + 856(Thread.java:856)
From Above crash it shows as Optimized data directory /storage/emulated/0/Android/data/com.myapp/cache is not owned by the current user. Shared storage cannot protect your application from code injection attacks
I had search related question Android DexClassLoader error, 'optimized data directory .. not owned by current user' but that is too old and not related to Admob. If I remove Native Ad related code then it is running else it crash and simply log above crash.
Please note my app was working good with same nativeAd code before 13th Aug 2019. after that its not working with NativeAd code.
Please help.
It seems some injection attacks happens in your application through the mobile ad contents
Injection attacks happens in the Android apps following cases
1) No or bypassable validation checks
2) File overwrite vulnerabilities, and
3) Code trigger points
The first condition includes the case when
(1) apps do not perform integrity or authenticity checks on downloaded DRU resources or
(2) attackers are able to bypass such validation checks. The second condition indicates the case when the injected payload can overwrite executables.
(3)The third condition is met when there exists a code trigger point where the overwritten files are loaded and executed in the app’s context.
Remote code injection attacks are successful when these three conditions are met.
The attackers Injected payloads are stored in a specified location in accordance with the app’s DRU implementations, usually in the app’s data directory (/data/data/PACKAGE_NAME) or in external storage (such as an SD card).
If the DRU that an attacker targets is the application code update, the injected code is replaced with the existing code resource (e.g., .dex, .jar, or .so) and then loaded and executed when the app triggers the update logic.
This is happens because of server side not in client side.
The mobile ad contains some File Overwrite Vulnerabilities
so that app crashed.
Solution:
Validate the ad content in server side .whether its satisfied google terms and conditions.
For more details refer Large-Scale Analysis of Remote Code Injection Attacks in Android Apps
anybody can explain if it's possible to attach a variable to the proguard crash reports??
I mean something like this:
java.lang.NullPointerException:
at es.com.myapp.dashboardActivity$askForUserBills.doInBackground (dashboardActivity.java) or .onPostExecute (dashboardActivity.java)
at es.com.myapp.dashboardActivity$askForUserBills.onPostExecute (dashboardActivity.java)
at android.os.AsyncTask.finish (AsyncTask.java:660))
**Application Variables: userID="967234112", myJsonObject=null << Something like this...**
In this example I requested "userID" and "myJsonObject"
It will be a great if it's possible, because you can check if your incoming data from a database in a specific user is corrupted, if X is malformed or null, etc...
Thanks all!
use Firebase Crashlyics instead. there you can report whenever you catch an Exception, instead of just logging to log-cat (currently only could find the Android documentation on fabric.io, which will soon be superseded by Firebase Crashlytics):
Crashlytics.log("Application Variables: userID="967234112", myJsonObject=null");
If you know you want to check something it is really easy. Instead of just relying on the code crashing, validate your input data to check if it is null. Then if it is you have a number of options:
use a service like Firebase Analytics to record the error
[not recommended] throw a more detailed exception with an error message
Crashes should only happen because of bugs in your code. You shouldn't be using them to record / trace input validation problems, as that really sucks for your users. Instead, write more robust code, and recover gracefully, while using a logging solution to find the bugs.
I have been using the AWS android sdk(s) to deal with files on S3 inside my android application. There were some issues that were being faced by the users and few of these are related to connection timeouts. While setting up the AmazonS3client in my application, I have set the timeout and the retries using the following code:
ClientConfiguration clientConfiguration = new ClientConfiguration();
clientConfiguration.setMaxErrorRetry(4);
clientConfiguration.setConnectionTimeout(10000); // default is 10 secs
clientConfiguration.setSocketTimeout(15000); // default is 50 secs
Everywhere I read, it says that the maxErrorRetryonly does retries for failed retryable requests. Do the errors related to the connection timeout and socket connection timeout also come under this category? If not, what is the solution for this case? I have been searching for this for quite some time now but did not get any clear answer on this.
Also, I have been facing two specific exceptions which I get in my TransferListener callback. There are:
Unable to store object contents to disk: Read time out (14% of all the users who face any AWS exception face this exception)
Unable to store object contents to disk: timeout (17.4% of all the users who face any AWS exception face this exception)
The above two are the most painful for us. I have been assuming that these occur because of there is no more storage left on the user device. I have been using the application specific directory in the external storage to store the files and now thinking to move these to the cache so that the system handles the cleaning of files if there is no more space left on the device. Do you think this is a good solution assuming that the problem is running out of space on the user device.
What are the other possibilities because of which the above mentioned storage related exceptions can occur?
This error occurs at three places in the SDK, out of which two places are significant and applicable here.
(1) https://github.com/aws/aws-sdk-android/blob/0958a37b4757c41cac40597b973ff417e0b758c4/aws-android-sdk-s3/src/main/java/com/amazonaws/services/s3/internal/ServiceUtils.java#L284
(2) https://github.com/aws/aws-sdk-android/blob/3983fda8c2d8703399ac4e9bf6ec0464d000a5af/aws-android-sdk-s3/src/main/java/com/amazonaws/mobileconnectors/s3/transferutility/DownloadTask.java#L161
I suspect that it is in the (2) which is throwing the exception in your case. This can occur for multiple reasons and storage not available is just one of them.
(1) The S3 object does not exist or the S3 bucket/object does not have the required permissions. Please check on AWS S3 Console if you have the required permissions for your users to access content.
(2) There might be a network interruption during the download. Check if there is proper network throughout the transfer
Check AWS CloudWatch Logs to see if there are any failures in the logs.
While trying to carry out an encryption and decryption process on an Android environment, i have the below log.
com.s.sdk.security.SMException: Error loading Local Master Keys, file:
"/cfg/lmktest.lmk" does not exist. Please specify a valid LMK file, or
rebuild a new one. 09-21 11:56:31.792 16182-16182/com.mpos.sdk
W/System.err: at
com.s.sdk.security.jceadapter.JCESecurityModule.init(JCESecurityModule.java:1785)
09-21 11:56:31.792 16182-16182/com.mpos.sdk W/System.err: at
com.s.sdk.security.jceadapter.JCESecurityModule.(JCESecurityModule.java:159)
The reason why I will want to make use of JPOS is simply because I will want to carry out a financial transaction, which will be used in packaging my message.
For the encryption and decryption of data, I am to make use of this JCESecurityModule which works well on other platform, but not on the android OS.
NOTE: The file location in my android studio is app/cfg/test.lmk
I was able to get this file from the JPOS-master on github found in the jPOS-master\jPOS-master\jpos\src\test\resources\org\jpos\security
i.e the lmk-test
which was been used this way
JCESecurityModule sm = new JCESecurityModule("app/cfg/test.lmk");
I have also tried rebuilidng the lmk file, using the below method
public JCESecurityModule (String lmkFile) throws SMException
{
init(null, lmkFile, true);
}
which can be found in the JCESecurityModule class (JPOS)
was still having same issue in loading the lmk file
Thanks
For the sake of completeness, this was also asked on the jPOS's Google Group, and discussed there. https://groups.google.com/forum/#!topic/jpos-users/X3r_PX7lgd4
The encryption was done by a device which is to be connected to a mobile phone to carrying out transactions, but the device makers actually did it this way to provide end to end encryption which you are circumventing. You don't need jpos in the device. You need it at your centrally deployed servers, where you would use real HSMs.
by Victor Salaman
in JPOS users google group https://groups.google.com/forum/#!topic/jpos-users/X3r_PX7lgd4
but you can still carry out the encryption and decryption using some other Module instead of the JCESecurityModule (if the problem still persist). e.g. using the SunJCE
So, after tinkering with this for a while, I have noticed that the upload() function throws at least the most rudimentary error even if the given upload destination is completely bogus. However, if there's an UNDERSCORE anywhere in the domain (specifically, I need to upload to dev_upload_area.s3.amazonaws.com), like the one I have to upload to, the request doesn't even happen, the uploadFailure function is called with a null error code immediately.
Any help?
EDIT: And yes, access origins are properly set.
I went through the same problem, and I found that RFC stipulates that the underscore is not a valid character in a domain name.
So either you change your url, either you have to modify FileTransfer plugin java source to escape the character.
Sources:
Illegal character in path at index 25
http://forum.soapui.org/viewtopic.php?t=14188
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=5049974