I have a html5 Web View Android application which uses php website . How do I enable the use of website only for people who have purchased the application .I was thinking of a combination of getting the users android device id in combination with php mysql generated id and preventing php site access by using a php library that checks if client is a mobile phone .Perhaps even Google application licensing - I don't know how easy is to get around this by recompiling of application ?Maybe even a good way to hide the url inside Android application.
Where do users purchase the application? How do they get access to your website?
If they purchase your app from Google Play, then you should use some form of authentication/authorization that forces them to sign into your website and establish credentials there and on the device.
Please don't use the device id. That's not particularly friendly, and it opens up a security hole. In addition, it's an inconvenience to users who upgrade (or lose) a device.
A username and password should be sufficient security for most situations. If it isn't in your case, then you could also consider establishing an encrypted key on the device after the user first logs into your site. The key could be based on various values that the user would have difficulty reproducing on a different device.
One must consider the tradeoff of securing against undesired access versus the effort involved. How likely is it that users will give away their username and passwords to allow others to use your site? If you secure something too much, nobody will use it.
Related
I've developed a website with the usual crud functionalities in Codeigniter and MySQL. I'm now tasked with creating a mobile app (with the same functionalities ) in Ionic 2.
To access my database with Ionic, I created a REST api -- which I was able to manipulate smoothly.
My questions are:
How, or can I, use my MySQL users' credentials to log in on my Ionic 2 app?
How can my web and mobile can share the same database?
I've been reading a lot about Fire base,etc. However, my tiny brain is unable to comprehend whatever I read. If anyone can point me to right direction, I would highly appreciate it. Thanks!
When developing an Ionic App you have to think of it as if you were developing a regular website. The only difference is that you have access to native device features with cordova plugins, but the whole flow is almost exactly like in a regular website (it is an angular application after all).
This means you can use your API just like you use it in your website. There is no need to use firebase. (Firebase is kind of like a database itself that you could use INSTEAD of your MySQL backend)
Totally agree with #Andreas. When you build a modern application that supports on the different platforms such as web or mobile, you need to design a standard API and then next step is to build a web application/mobile app to consume this API. And because of all the web/devices are all consuming from the same API, they are interacted with the same database. Unless they are using different API.
Can refer to the image below for easy understanding.
So talk about how authentication and authorization can be done from the mobile app or from the web app. You should take a look at OAuth2. It is a protocol for securing API services from untrusted devices, and it provides a nice way to authenticate mobile users via what is called token authentication.
The workflow will look like below, on both web and mobile app.
A user opens up your mobile app and is prompted for their username or email and password.
You send a POST request from your mobile app to your API service with the user’s username or email and password data included (OVER SSL for sure. If you don't know about it, google it).
You validate the user credentials, and create an access token for the user that expires after a certain amount of time.
You store this access token on the mobile device, treating it like an API key which lets you access your API service.
Once the access token expires and no longer works, you re-prompt the user for their username or email and password.
Reference
REST API from PHP
The ultimate guide for Mobile Security
My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.
My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.
Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?
Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.
The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.
As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.
Https
As you point out, this is an important part , as it prevents sniffing.
Sessions
Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).
Fingerprint
Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )
Obfuscate requests
Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2
Encrypt
This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.
Use unique shared secret
You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.
I have an open question about my idea. Here's some background:
I'm developing a PHP application for the company I work in. It's meant to be used only by its employees. Every employee has access to our SharePoint portal. Basically the app has to be accessible only for people, that have access to our SharePoint.
I've got an idea to use SP to authorize users in my app. Authorization would be based on downloading a secured file from SP (one for all users), using CURL. If the file is correctly downloaded you're logged in. If it isn't, you're not allowed to access the app (there would be exception handling of course).
So, each person, who has access to SP, would have access to the app. The app and SP are located at different servers.
What do you think about that idea? Will it be safe? Is it a good idea at all?
I've listed some pros and cons that came to my mind...
Pros:
easy to develop
access control is held by SharePoint
users don't have to learn new logins and passwords
IMO it should be safe, because no passwords would be stored in the app's database
Cons / vulnerabilities:
possibility that the file will be accidentally deleted
Cheers,
Zibi
This is not a good idea. You are basically trusting the client to authenticate itself, which is very bad. You must assume that the client code is completely compromised and has been modified by an attacker to bypass your controls.
Generally speaking, "roll-your-own" security is a recipe for disaster. You should take advantage of PHP's built in session tracking mechanism. You can find a good tutorial here if you don't know how to use it yet. Your user's will have to authenticate again, but unfortunately that is necessary for proper security.
Also keep in mind that with your suggested solution there could be no access controls beyond "employee." This is severely limiting in the future if you ever need to provide the ability to restrict users access to resources based on user ID, roles or groups. You'll be much happier in the future if you do it properly at this point in the game.
I am looking to build an API that I can deploy on my servers to monitor system load.
It will report to a central manager server that runs a client to display the information.
The issue I am struggling with is best to secure the API.
What I want is for the client to be the only software that can access the server and retrieve this information but I am unsure how to achieve this using PHP.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The client is also written in PHP using MySql and has a secure login.
This sounds like you're trying to solve the wrong problem.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The only right answer to this is authentication. You need to protect your API by giving each user access credentials known only to them.
Your API must never reveal any data that the client isn't allowed to see as per their authentication credentials. Trying to work around this danger by trying to somehow protect the client from prying eyes is not safe - somebody who has access to the client and can observe it running will be able to reverse engineer any traffic between it and the server given enough effort.
If the API is properly secured, it won't matter to you which client tool is used to access it. The requirement to limit API access to a certain program will go away.
if you use SSL, along with authentication (i use 3rd party auth google, fb, etc), create data /reports on the fly and have the data saved in a subdirectory OUTSIDE your web folder (instead of /var/www, /var/myStorage/currentSessionId/), then you basically guarantee the security that you want.
your php will only access a subdir that is named for the session it is running under.
I have written an API for my latest project. Written entirely in PHP, it currently supports web and mobile applications. We would like to expand that to desktop applications as well, but I'm not exactly sure how to enable to user to login through the desktop application, while still protecting the username and password from said application.
There are many brilliant developers on Stackoverflow, so shoot me some brilliant answers!
The application will be developed by 3rd parties, so I want to ensure they aren't able to store usernames and passwords
If the application has to send usernames and passwords, then it has to be able to have access to them, so don't use them inside the application at all.
Use OAuth. This is the solution used by quite a lot of large organisations, including Twitter.
There are many possibilities. What comes to mind:
Issue a Certificate signed by your CA and verify later, eg via the OpenSSL lib or Apache.
Use Public key encryption, eg via GnuPG lib, and grant access only to known pub keys.
Use any kind of Token based authentication or any other two factor authentication..
Just give them another set of API credentials (Secret Key, API Key)
its a desktop application, it has full access to the users keyboard and memory. if the application should have a login form where end users type in their usernames and passwords, the application has this data by definition.
the only solution would be to distribute the login-application yourself which does some sort of toked based authentication and provide the 3rd party applications a login token via your api.
oauth and other singe-sign-on systems on the web usually use an iframe or popup which comes from the system-to-login-to itself. no 3rd party website or application should be allowed to provide this input fields.