Right now we have a Ionic project that is almost finished that comes with a php backend. To make the backend a little bit more secure against influences from outsite we would like to make the backend only accessible from within the ionic project (native app). I tried to restrict it by domain but since a native app doesn't have a domain that's not gonna work.
I can't show any code because i'm absolutely clueless on how to approach this.
Thanks in advance
we would like to make the backend only accessible from within the ionic project (native app).
Given the existence of reverse engineering and the futility of DRM, what you're asking for is, strictly speaking, not possible in absolute terms. Anyone can take your app, analyze its code/behavior (usually with freely available tools), and write their own app that communicates with your server.
To make the backend a little bit more secure against influences from outsite
Given that the above is impossible, what is your threat model? What attacks are you trying to protect against? You should assume that clients are malicious and validate all input on the server side. If you do that, then you don't need to worry about whether or not someone used your native app to communicate with the server.
Consider the workflow in this article, Building Secure Web Applications in PHP.
Related
I'm developing a system (o rly?!), a regular system. This system maybe considered normal: CRUD's are all over the place. BUT, I also need to access his data as a web service. I'm developing both: the system and the web service, using Laravel 4.
I have controllers, of course, for all the CRUDs on the system so an user can be able to put information on the database. Pretty simply stuff...so far!
As I said: I need to consume data on a web-service format. I need to make request and record data to the server throught a JSON string and REST verbs. That being said, here comes the question:
Should I create a whole new project to access the data as a web service and separate it from the original project (cruds) or this is just a stupid idea of mine?
I think this might help on the security and on the cohesion on both projects.
Any answer is welcome ans thanks in advance! =D
If you are a coder who can easily organise an additional layer into your current app, to create the web-service layer, then do it.
If (like me, and probably most others) you'll just get swamped in a mess of files and folders, and end up changing code which impacts your already existing app - stay well clear! Write a new web-service app!
Separate the concerns, and sleep happy at night that both animals are caged up separately so they can't kill each other.
Although...you are using laravel. So you can actually create separation quite nicely in one app by using packages (were called bundles in L3). You still might run into the risk that you mess up some code of your current app, but if you are strict with yourself, you should be ok.
One question I'd ask yourself is why not just have the app ONLY be a web service, and create clients that meet any needs you want? It does seem odd to have an app being used as a web server and also as a web service. You may run into all sorts of performance problems if you try to do both in the same app.
UPDATE:
For a definitive answer on if you are doing this the right way: I say no, you aren't doing it the right way. Create a web service from your app, and ONLY allow it to be a web service. Then create client apps (web service consumers) to meet any needs you have for displaying the data.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I recently built a web application for my company, and now they want it to support an offline mode. To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp. The application handles sensitive data and they think these programs will somehow make the data visible to the outside world (although I'm entirely sure this would be the case).
Anyways, I'm looking for a way to allow my application to run offline, and to also support the following technologies: PHP, MySQL, jQuery. The most difficult part of this is I need to execute PHP code outside of the typical server environment.
Can anyone please give me some advice on how I could implement such a system, and any associated vulnerabilities that I may face in terms of security and data storage?
Assuming you're installing this for an individual user on their machine - your best bet is to install apache/php/mysql, and configure apache to reject connections from any remote IP address.
The environment should be basically identical to your current application, but with only 1 user in the system.
There are some strange points in your question
now they want it to support an offline mode
Well, that's easy enough - get familiar with html5's offline features
To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp
Have you deployed your web app on a desktop machine? Or do you mean you are forbidden to use a webserver?? Xampp/Mamp are development tools - your public facing applications should be on a machine configured specifically for that purpose with a webserver running apache/nginx/iis/PHP5.4-builtin/whatever you like.
The most difficult part of this is I need to execute PHP code outside of the typical server environment.
How is your environment none-typical? Mike mentions php-gtk - but IMO you shouldn't go down that route unless you're requirements are "desktop app" + "absolutely must be written in php" - which is unclear from your question.
any associated vulnerabilities that I may face in terms of security and data storage
Well, anything you put in local-storage on a client (browser) the user can access - just bear that in mind. Don't send sensitive data to what is, from your perspective, an insecure and pseudo-public location i.e. some user's browser cache.
If you want to run html/javascript, you will probably need to run this in a server/client environment because a browser isn't capable of running the php and the php app as a stand alone app needs something to parse the html/css/javascript ( it needs the browser for it's presentation view ).
Best course of action is to put the application onto a server that you control access to. Set the access controls to specific IP addresses only, or even better if you can run it off an intranet behind a firewall where no one outside the network would be able to get to it.
PHP can run on a desktop environment, but they key here is that it won't run the javascript/html you use to display. You could use php with a third party library like php-gtk to make a desktop app that doesn't need a server or browser, but php-gtk doesn't have the best support.
If the application needs to store data for other computers/users to access, then it needs to be on a network. If it doesn't need to do this you might consider using a different programming language geared toward desktop applications so you can keep it entirely offline ( such a java or .NET ).
I already know quite a few tricks with Android java and I have an application that I need to sync with a web application. What it needs to be doing is connect to a server and sync database and download jpg picture uploaded by user. The web application should also be for more users each with his own phone and Android application in it, so it should probably be accesable via login and password.
My problem is that I have zero experience with web applications. All I know is a little HTML. So my question is, how should I start? What language do I use? And what basic structure or principle should my web application have?
Thank you!
I would recommend a PHP - MySQL solution. PHP and MySQL are open source and I know Java can interface with that kind of database. Both languages are well documented and PHP is similar to Java in that it is C-based, so if you know Java fairly well, PHP should be relatively straightforward for you. I would recommend heading over to Lynda.com and searching for PHP Essential Training with Kevin Skoglund. Lynda is a great online video tutorial site and you can access a good amount of the content for free. But if you're serious about developing this web application, I would make the investment (I was, and I did, and I am glad). That's how I learned PHP / MySQL for the most part.
First off, to do any PHP / MySQL development, you'll need to install a server onto your computer, such as WAMP (Windows Apache MySQL PHP - for windows), MAMP (Mac " " - for mac), or LAMP (Linux " " - for Linux), where you will be able to begin developing your application. This is your "test" server, or "development" server. For instance, I use MAMP since I am on a Mac. MAMP is free, as are the other versions, but you can pay for an upgrade. For your purposes, start with the free version. Essentially, *AMP comes with the Apache Server software, MySQL database installation, and PHP installation pre-packaged and ready to go with minimal configuration. From there, you can start writing PHP and MySQL and get your project rolling.
As a matter of fact, that title at Lynda.com, PHP Essential Training, will walk you through ALL of the steps I just stated, AND, uses an exercise project of setting up a basic Content Management System to include password protection, user login and authentication, as well as all of the essential PHP and MySQL that you'll need to go along with it. Seriously, check out Lynda.com.
Good Luck!
This is a very open question and you might get a huge range of different answers, neither of them perfect. However, I will try to put a simple response.
Have a single server and expose from it web services. This web services will handle the CRUD of the data (I will assume you will use a database and that you have experience with databases).
Web services is a big topic. If you want the simplest web services, and you're planning to use PHP, I will suggest using RESTful with JSON, since it will be very simple.
The web application should be within the same domain/server of the web services, at least for the beginning (if it grows, you can change this architecture), since that way you won't require using JSONP and just stick to standard AJAX (I will now assume you don't know what JSONP is, I will suggest reading: http://remysharp.com/2007/10/08/what-is-jsonp/ which is just the first result I got on Google just now ;)) and it will be easier.
You say you have experience with Android. I will assume you know how to consume web services using Java/Android. In case you don't, here's a sample of how to do it: http://www.codeproject.com/Articles/267023/Send-and-receive-json-between-android-and-php
Please note the PHP code there is pretty dirty, but as a "how to", I think it looks great. Only thing to note is: the sample uses HttpClient, while the preferred method is to use HttpURLConnection ( http://android-developers.blogspot.mx/2011/09/androids-http-clients.html)
Having said this, PHP + MySQL is standard. In the web app, you SHOULD USE HTML. Please, don't use Flash or Java Applets (I smiled a bit by even mentioning Java Applets in here). For all the communication purposes between the web service and the HTML client, I recommend using jQuery ( http://jquery.com/ ) with AJAX.
Don't go with a JSONP API unless you want other websites to be able to use your API.
This is only a quick approach created with the little information you have given. The more (and clearer) information you give, a better solution is likely to appear.
I have developed a web based portal using php and some part of the site is only accessible by employees only. I would like to add an extra security layer so only employees whose PC is authenticated can access the restricted area.
If it was Dot NET it could be easily done by using activex components but I am not certain about the PHP.
Can any one share hints how to accomplish this task using PHP?
Are you using Active Directory to Authenticate? If so, you can probably tap into the LDAP functions in order to check for a valid authentication. You could also implement some security paradigm like Kerberos in order to achieve this with single sign on.
The easiest thing to do is to add a users table to your database and then built some basic authentication around that.
I would create a while-list with the IP's of the allowed computers (using $_SERVER['REMOTE_ADDR']), since it's almost the only information that you can obtain from the machine that make the HTTP request using just server-side scripting.
This should work well for computers inside the company, since they would have IP's within the same range (e.g. 10.100.x.x or 192.168.x.x), or they will use the same gateway for connecting to Internet.
If you need to allow access to roaming laptops, then this method will be almost useless unless they have static IP addresses.
This likely isn't possible with PHP. You can try to embed an ActiveX control using PHP, but I feel like this would be a better application for desktop software. PHP is definitely not going to be sympathetic. Sorry.