I need to store thousands of PDFs on a web-server which need to be secured (encrypted or access permission based?).
I want the only way to access these files to be via an iPhone app which I'm currently making, which is username/password protected. (I usually use php to communicate from the app to the database/files)
Which technologies should I use to protect the files in the first place?
What iOS/php code/frameworks should I use to display them on the device?
Do I need to encrypt the transfer, over ssl or something?
Thanks in advance, Leigh
If those PDF files contains sensitive information you should encrypt them using an unbreakable encryption algorithm, such as AES-256, use mcrypt for symmetric encryption (see php.net/mcrypt).
I would recommend you to popup the default PDF reader of iOS, that would be the most easy way to do it.
Again, if those file are super sensitive or something - Of course, use SSL/TLS. It is recommended to use it anyway.
To display the PDF on your app, you can use UIDocumentInteractionController. See Document Interaction Programming Topics for iOS. Something like:
NSURL *url = ... // the file URL for the PDF
UIDocumentInteractionController *controller = [UIDocumentInteractionController interactionControllerWithURL:url];
controller.delegate = self;
[controller presentPreviewAnimated:YES];
Clearly, you have to specify your view controller as conforming to the UIDocumentInteractionControllerDelegate protocol, and, at the very least, implement the documentInteractionControllerViewControllerForPreview:
- (UIViewController *) documentInteractionControllerViewControllerForPreview: (UIDocumentInteractionController *) controller
{
return self;
}
You can also view PDFs in a UIWebView, but the document interaction controller is probably better.
To encrypt the transfer, you should employ SSL (e.g. use HTTPS instead of HTTP). You obviously should also make sure that you never send/store the password in the clear.
In terms of protecting the files on the server, at the very least make sure that they're not accessible without going through some authorization process. That is, don't just put the files on the web server and then reply upon some application level security to retrieve the URLs. Store the files elsewhere outside the web server's root and control access to the files through your secure web interface. Always assume your URLs can be compromised. Depending upon the level of security required, you might also want to encrypt the files on the server and have the app decrypt them.
For general security concerns, I might suggest checking out WWDC 2012 video The Security Framework. Or WWDC 2011 videos Security Overview and Securing Application Data. Also see the Security Starting Point for iOS document.
Related
I am trying to secure a PHP web application which runs out of a WAMP-style local installation.
Currently, passwords for the app's database are just in the .php files. I thought about encrypting them, but any person can just step through the code to decrypt them pretty easily.
This does not run on a web server, it runs on the user's PC. Has anyone here attempted to secure this type of application, and perhaps shipped a compiled program to return the passwords, or perhaps used an external keystore somehow?
Your thoughts are appreciated.
Clarification: The database is also on the local PC.
There are a LOT of very robust external authentication providers out there. Firebase and OAuth to name a few. Technically speaking, no system is 100% hack-proof, but Firebase and OAuth provide would-be hackers a tough road to success
You can use ENV variable in that case make .env file and store password in that and call the same in application.
You can create environment variable in Apache config file and call from there in your application this is more secure.
There is no way to protect a database connection credentials if you are giving the client / user the source code. Basically if your app can access it and the source code is there for them to use, read, parse then they have the same access as the software does.
I am making a web application and i want it to be secure, so i ll be using SSL and, will hash passwords. But my server is managed by a different company and it's a shared hosting server, they have direct access to database. I want to prevent any possible loss of sensitive information so i am thinking about encrypting all the data in the database.
Is this a good way to keep data secure?
are there any other ways to protect data in database?
I am using PHP, MYSQL, Apache, and Linux
please provide details. also if am thinking in the wrong direction pls tell that too.
Thanks in advance
This is not a big privacy issue
The internet is composed of some few websites / web applications using self hosted solutions with fully personal servers (owned and operated in their own NOC).
Everyone else is using some form or another of shared, virtualized, semi-private, semi-dedicated, collocated hosting. In every case the hosting company has full access to everything, they have physical access to the servers -- no amount of protection can help you there.
Shared hosting might be the easiest to access from the hosting company's perspective. But that's not relevant, their policies should prevent them from operating in bad faith because if they wouldn't it wouldn't really matter if it was the easiest or the hardest to access it would only matter how interesting the data you have is to them (or some random employee of theirs).
Finding a solution to the above non-issue
Some approaches might use:
Mounting an encrypted filesystem as a folder and setting up MySQL to use that folder to store its data;
MySQL encryption functions to encrypt the data in a particular cell or column;
a library on top of SQLite that had an encryption feature which would encrypt the entire database file;
On the other hand if your PHP files would be on the same server and the database decryption password would be stored inside your PHP files, any "intruder" could find it and use it if they wanted it.
You'd have to store the password on a different server or obtain it from the user in order to not have it present inside the local PHP files. This would obviously still be available at runtime; if the "intruder" is a programmer he will be able to retrieve it fairly easily.
I wanted to know if there is a way to build a CMS using no scripting language on the serverside, i.e. only use server to store data?
Theoretically - yes, but you'll not be able to make it secured.
I suppose it depends on what you define as a CMS. If you just want user authentication, displaying web pages, then this is quite possible to do with a static-serving web server (Assuming it supports authentication mechanisms and SSL).
If you want stuff to be searchable, you'll need SOMETHING server side doing the indexing (the actual search can still be done client side by downloading relevant index files). Or tap into Google, but this only works if you have no security requirements.
If you want to be able to upload stuff, your server needs to handle this as well.
Without specifying exactly what you're looking for, there's no way to answer this question.
CMS stands for "Content Management System". It's basically an organized way to store your content, with some productivity tools (UI, workflows, ...)
Your server can be seen as a CMS :
The http server provides various authentication schemes
The http server provides encrypting (via https)
The filesystem allows you to create, read, update and delete files.
The filesystem provides a way to manage user (and even groups) rights on these files.
The filesystem allows you to organize your files in folders
The filesystem even allows you to reference files in several folders (via symlinks)
So yes, you can use your server as a CMS. All you have to do is define rules for your content management :
folders organisation
files naming conventions
files format conventions
...
I have a xml file used by a swf to read and display information, but I would like to protect it from viewing the raw file, but keep swf access to view info.
Is there a way to do this, maybe php, javascript?...
In my opinion any thing that goes to a browser can be hijacked. What your strategy should be is to make it harder to do. Here are possible cases:
To protect your data from being sniffed on the wire use SSL ("https://") for you web service
Implement application authentication like 2-legged OAuth. This will give you a more granular control over what apps accessing your service.
you could use an .htaccess rule (if using an apache server) and prevent direct access...
I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the references to those plain text passwords is only through objects of those classes.
Off late, I have started to wonder if this is secure enough? I have tried my best (acting as a malicious person) to try and read the contents of the two said php files but was not able to do so. I am not very conversant with developing secure code, so not sure what should be my approach to make sure that these passwords never get exposed.
Could any one please suggest best practices to develop php code that can contain such sensitive information securely.
Put configurable items in a separate configuration file, above your public web directory
Make sure you have set correct file permissions to your files
Check your web application for local (and remote) file inclusion
Have your server up-to-date
Having your passwords at a safe spot is not the complete solution, you'll need to have your complete PHP application secure, and nobody unauthorized should be able to get root/administrator access to the server.
Firstly, I'd look at using OAuth for accessing GMail if at all possible - it means you don't have to store credentials at all, and provides some level of protection in case your server does get compromised.
I would also look at the answers to this question.
Finally, if your site is on the public internet, it's worth reading up on at least the basics of internet security, and especially securing web applications. There are all sorts of ways things can go wrong. I like the "hacking exposed" books.
Don't store passwords in files, because someone will eventually check that file into source control. Or someone will set a permission incorrectly.
Run the application with its own O/S user account
Put the passwords in an O/S environment variable for the application user (not a system environment variable)