I making an application for Android, BlackBerry and iPhone. The application needs to communicate with my Java-based web services. The data should be encrypted when the app and the webservice communicate.
Is there any common algorithm which I can use to encrypt and decrypt the data in these three platforms? I have searched over the internet but can't find and reliable solution.
The simplest way of doing this would be to use SSL on the web server. So rather than encrypting the data, encrypt the actual connection. You'd just connect to 'https://...' rather than 'http://...'. Thats a very standard encryption that every platform can work with, and you dont have to complicate things in your client apps by encrypting the data.
This of course assumes you control the web server, or otherwise can make sure it has SSL enabled.
Related
Currently certain sensitive data parameters like User ID & password are transmitted in plain-text in my app. I am looking for a solution for encryption based data transmission (AES) between my app and backend. My backend is based on Ruby on Rails(ROR). I've tried searching on how to achieve the same between flutter and ROR based backend, but didn't find any resources.Please help with any available solution or provide links to achieve the same
Our testing team did packet capture using Burpsuite app and in that they found credentials like id and password as a plain text. How to encrypt that?
You don't need to encrypt data going to your server yourself. Use HTTPS. The S means it uses the SSL encryption protocol. Any data sent over HTTPS is already encrypted. Encrypting it again won't help, and depending on the method can actually make it less secure. And I promise the built in peer reviewed library is going to be far more secure than anything you roll on your own.
If you're not using HTTPS- start. There's a reason why its become the default, many browsers won't even visit non HTTPS sites by default. Android won't send plain HTTP data by default either.
How to secure our app data to prevent hacking in app/ API and protect some sensitive data?
- How to transfer all secure data to other device: for example I have some special setting in my app in device A, I want next time if user login in another device in device B, my app in device B have fully special setting from device A.
From IOS app perspective, you need to use Cryptographic algorithms to encrypt the data you are transferring. You can use any of Symmetric and asymmetric algorithms to encrypt the data. But in most cases RSA 256 which is a asymmetric cryptographic algorithm is used. You should also use HTTPS certificates to make sure your data is secure.
Behind every great mobile app is a great backend, but building a REST API for your app can be a bit daunting if you haven’t done so before. Fear not! I suggest you to find some tutorial about how to build your REST API using Node.js, and connect it to an iOS or Android app!, and handle authentication. Some reasons to use Node JS as backend.
It’s easy to work with JSON in JavaScript!
Node.js is lightweight and easy to get started with.
Node.js gives you fine-grained control over your request and responses.
I want to connect a Android client to WCF Webservice. There are several good guides describing how to do this but the https concept is really blurry for me. Here is what i want:
1) A selfhosted WebService communicating over https with an authenticated client.
The user database resides on a SQL Server.
The Service must be a "simple install" for any user to carry out.
The user will install the service on his/her PC and then download the client from google play configuring it using ipadress only.
Problem: it seems impossible to carry out this using WCF cause wshttp looks like having the need to install a certificate on the mashine.
A possible way forward would be generating a selfsigned cert during install but how can i then in a userfriendly manner get the cert to an android client?
2) A Android app published on Google Play which is able to communicate with the service. Data sent to the service will be both simple datatypes (string and integer data) but also large binaries 3-25Mb.
The user installing the service has no more the knowledge than his ip adress and must not be bothered with any certificate issues or other technical details. One option might be using message instead of transport security but my knowledge is very limited in this area.
Information passed between server and client is of personal caracter and may contain passwords including matching sites where passwords are used, personal info, calendar events etc. It will not contain money transfer orders, credit card numbers or account numbers.
The core functionallity of both server and client are more or less already implemented. I now need to secure communication between client and server.
Any recommendation for a good approach to develop this will be grately appreciated!
The way in which i want to deploy the server service to end users makes it hard to use WCF with ssl.
other options create other problems. i have now abandoned WCF for this specific project in favor to Good old socket programming using Bouncy Castle, SslSocket and a custom protocol. It may me overkill but gives me full control over both authentication certificate management and the data being sent.
Im using ssl with a selfsigned cert and override the cert validation method in android verifying all data in the cert manually except relolving the host name... enough for me since i use a pre shared key to encrypt and decrypt data.
Thanks for all help
I have an HTTPS WebService that need to be accessed from a Mobile (iPhone or Android) application. both are developed by me.
The mobile phone needs to send its location to our server every few minutes - I need to secure this data.
In all my mobile apps that I developed till now i wrote webservices on client side and on the data layer and thats it...but I now understand that it is not safe.
My questions are:
1.Is there more secure alternative to using web services for location transfer?
2.How can I secure the data transfered via WS?
Consider to encrypt this data with an asymmetric encryption algorithm like RSA. It is not hard on Android but could be very tricky on iOS.
The important thing is to store only public key on the device. Do not store private key in any form on the device. On iOS you can store a certificate and encrypt your data with the public key in the certificate.
Hope it helps..
If you use HTTPS data in transit is automatically encrypted. Do not try to invent your own encryption using raw RSA or random code you find on SO/forums. Just setup SSL on your server and be done with it.
I intend to write a multi platform smartphone app (currently only I-phone and android).
Which has to send and recieve information from a web server I intend to create.
The web server will do all the algorithms, and handles also DB connection.
My question, is how is this best accomplished, which kind of web-server technology fit best the scenario, and supports connections from various devices.
Basically, I thought about implementing a simple TCP/IP protocol, making the app (on the phone) the client, and server on the web on the other side. however, I want to deploy the application to an application server (maybe google app, JBOSS, etc.) and I don't want to be stopped by various firewalls.
does anyone has an idea ?
edit: few things are certain, the application server will be written in java, and db will be mysql.
This is a very broad question and any suggestion about which backend technology to use will depend on your language preferences, your other requirements, etc.
For starters, I'd suggest JSON over HTTP as a transport mechanism: it's easy to parse on both client and server-side, and it's directly usable in Javascript should the need arise. XML is another choice, but it can be annoying to parse.
JSON-over-HTTP (or XML) will be completely device agnostic and won't have the firewall/proxy problems you'll run into trying to do a custom-implemented TCP-based protocol.
For the backend, may folks use MySQL or Postgres for their database, and connect to it from Java, C#, Ruby, PHP, or other server-side languages. Use what you're comfortable with or what you want to learn next.
Why not write the server-side as a regular web application - in whatever technology you like (php, asp.net, java)? This way you can deploy the app on any web server and your client apps on the phones would simply establish a connection to an HTTP server. Normally, firewalls would not be a problem in such situation.
I have used this setup for my apps (both android and iphone) - connecting to a web server app written in php with postgres back-end.