I have a xml file used by a swf to read and display information, but I would like to protect it from viewing the raw file, but keep swf access to view info.
Is there a way to do this, maybe php, javascript?...
In my opinion any thing that goes to a browser can be hijacked. What your strategy should be is to make it harder to do. Here are possible cases:
To protect your data from being sniffed on the wire use SSL ("https://") for you web service
Implement application authentication like 2-legged OAuth. This will give you a more granular control over what apps accessing your service.
you could use an .htaccess rule (if using an apache server) and prevent direct access...
Related
I need to store thousands of PDFs on a web-server which need to be secured (encrypted or access permission based?).
I want the only way to access these files to be via an iPhone app which I'm currently making, which is username/password protected. (I usually use php to communicate from the app to the database/files)
Which technologies should I use to protect the files in the first place?
What iOS/php code/frameworks should I use to display them on the device?
Do I need to encrypt the transfer, over ssl or something?
Thanks in advance, Leigh
If those PDF files contains sensitive information you should encrypt them using an unbreakable encryption algorithm, such as AES-256, use mcrypt for symmetric encryption (see php.net/mcrypt).
I would recommend you to popup the default PDF reader of iOS, that would be the most easy way to do it.
Again, if those file are super sensitive or something - Of course, use SSL/TLS. It is recommended to use it anyway.
To display the PDF on your app, you can use UIDocumentInteractionController. See Document Interaction Programming Topics for iOS. Something like:
NSURL *url = ... // the file URL for the PDF
UIDocumentInteractionController *controller = [UIDocumentInteractionController interactionControllerWithURL:url];
controller.delegate = self;
[controller presentPreviewAnimated:YES];
Clearly, you have to specify your view controller as conforming to the UIDocumentInteractionControllerDelegate protocol, and, at the very least, implement the documentInteractionControllerViewControllerForPreview:
- (UIViewController *) documentInteractionControllerViewControllerForPreview: (UIDocumentInteractionController *) controller
{
return self;
}
You can also view PDFs in a UIWebView, but the document interaction controller is probably better.
To encrypt the transfer, you should employ SSL (e.g. use HTTPS instead of HTTP). You obviously should also make sure that you never send/store the password in the clear.
In terms of protecting the files on the server, at the very least make sure that they're not accessible without going through some authorization process. That is, don't just put the files on the web server and then reply upon some application level security to retrieve the URLs. Store the files elsewhere outside the web server's root and control access to the files through your secure web interface. Always assume your URLs can be compromised. Depending upon the level of security required, you might also want to encrypt the files on the server and have the app decrypt them.
For general security concerns, I might suggest checking out WWDC 2012 video The Security Framework. Or WWDC 2011 videos Security Overview and Securing Application Data. Also see the Security Starting Point for iOS document.
I'm using loadVars to load a PHP URL with lots of sensitive information required for the Flash application. Only problem is that URL can be accessed via a web browser which raises security issues if someone gets a hold of this URL. Is it possible to have the PHP page only accessible via my Flash application?
Appreciate the help!
Thanks
No, there is no way to limit a page to a specific app, browser or user agent, since all of those things can be mimicked. If you are passing around sensitive information then you need to do authentication and use encrypted data transfer (HTTPS).
Regardless of how you attempt to make it only accessible from your Flash application, a determined user will certainly be able to view the page also. It can be as simple as proxying the requests through an HTTP proxy like Charles, Firebug or Wireshark.
There are things that can be done to make it more difficult to figure out what the data is from viewing the page directly. For instance, you can encrypt the data or output it as binary. But since SWF is an open sourced format, users can use decompilers or just inspect the ABC (Actionscript Byte Code) to see what is really going on.
The short answer is NO, you cannot protect the information available to the client side (Flash) from being accessible from other clients.
As long as you have a page on HTTP, a determined user can always find a way around any user-agent restrictions imposed by you.
One way to protect the data (other than using HTTPS) is to encrypt it at the server, send it over HTTP and then decrypt it in Flash using as3Crypto or some other cryptography library.
Hope this helps,
I have several programs linked and hosted on my server. I need to protect the URLs from being stolen and placed on other sites because they'll use my bandwidth.
How can I do that in PHP?
Should I just check referrer or do something else?
If you have the binary files on your server, and someone gets the address, you can't use PHP to prevent them from downloading them. You want to protect them at the web server level. Assuming you're using Apache, looking to doing this with custom .htaccess directives.
This question, involving the direct download of MP4 videos, may point you in the right directions:
Disable hot linking or direct download of my videos and only stream the video when it's displayed from a page in my website
If you don't want them downloaded/stolen, then don't put them on your site.
On the plus side, if they are stolen, then your bandwidth will only get used once. Checking referer is easiest to do, and also easiest to bypass/subvert.
If you're concerned that your server is only hosting the files but users who download it don't see where it comes from, you can do the following:
check for the referrer. This can be fooled, however, if you're concerned about links from forums etc., this is an option.
Basically you're checking if the HTTP referer header is set and matches your site's pattern. If not, you could block the traffic, however, if you actually want to offer downloads, I would not block the user.
Instead you can display a download facade-page with your site design and offering the download then. With some session logic, you can allow users to download files.
This can be done to build a much better hotlinking checker than based on http headers as well.
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file
I'm making a members area for my site and I have it already running. I authenticate members using mysql and php and this works really well.
But now problems occurs, I would like to offer members a possibility to upload files to the systems, and those files should be available ONLY to logged in members.
I know I could store those files to a database or even in a filesystem and serve them throught php, BUT this will get very heavy for the server when members upload bigger files. Those files might be even 20MB or even bigger.
I would like to let apache serve the files, but just need to find a way to automatically do the http authentication, so users wouldn't need to log in twice. I suppose it is ok to make this http authentication behind one username and password, something like when a user logs in to the php and mysql authentication, transparently at the same time javascript etc. would do that http authentication also, every member would do the http authentication with the same credentials. Of course I wouldn't want to store those http auth credentials in a javascript file, but something ajax like solution maybe would do the trick. I'm just not sure how to do this.
It seems like you are confusing authentication (where you provide some way to login) with HTTP authentication (where you specifically use the HTTP protocol to authenticate, and the browser shows a popup to the user).
You probably want the former so you can style the login page. In that case you'll have to use PHP or some scripting langauge to check that the user is logged in. fpassthru or readfile can be good solutions for some web sites; they're fast and optimised for this type of work.
If you really want to do the file handling work in the web browser and not in PHP, one solution can be to create unique, short-lived filenames. You can for example create hard links to the file in PHP using link and then redirect the user to the temporary filename. Store the hard links in a database and remove them after a short while.
Check out Using PHP/Apache to restrict access to static files (html, css, img, etc). I think the approach taken there is pretty similar to your problem.