[Q] Phonegap: Store token securely - Web App Development

Hey guys,
I am a web developer and decided to create a mobile application for Android and iOS using Phonegap. Creating the graphical interface isn't a problem, but somehow I need to store 2 tokens and a username (the app receives data from a server and somehow the user has to be authenticated. So the tokens and username get posted every time I request some data from the server). My question: I already heard about localstorage - is this a secure way to store the tokens? A https connection is available, so man-in-the-middle isn't possible. Localstorage is sandboxed, right? So there should be no problem to simply store it in this way. Or am I missing something? I already thought about encryption, but to be honest: Javascript and encryption don't make sense as you would need to somewhere store the secret and in this case it would be directly inside my JS file...
Thanks for your help!

Yes, localstorage is sandboxed so each app will have it's own dedicated space to avoid variable clashes. Though it's by no means secure in the sense that it's relatively easy to view it through external means.
As far as encryption in javascript, this depends on how secure you need it to be. Properly obfuscated JS is almost as difficult to reverse-engineer as Java byte code (though still quite doable if someone is determined enough).
To be more secure you would need to get the user to enter a password/passphrase at the beginning of each session which is only ever stored in memory and used to decrypt the data stored in the local storage using a decent open source encryption library. In this case access to the JS won't be a problem.

You need to define what types of threats you are trying to protect from. Traffic between your device and the server is protected from sniffing and tampering by HTTPS, so no problems there. But all that is local on your device could be examined, reverse engineered, and altered by the owner: local storage, encrypted or not, traffic between app and Android OS, data in RAM memory, etc. I would trust regular web component security features (cookies+HTTPS), as it is considered safe for things like online banking. But I don't think there is a way to protect data from the owner.

Related

Nodo with SQL

Hello there,
I am developing a game for wp7, and I want to have a user login with skills an level. This users and levels I want toread and write from an SQL database.
But until now I found no API to connect. Is there any free solution to implement a database in wp7 (not linq)?
Thank you
Sent from my HD7 T9292 using Board Express
Nope, not in Nodo. You have to use linq-To-XML. This should be perfectly fine for small amounts of data.
If you can wait for Mango you can use a SQL CE database, but you still need to use Linq-to-SQL:
http://msdn.microsoft.com/en-us/library/hh202860(v=VS.92).aspx
Sent from my 7 Pro T7576 using Board Express
I know linq as a local database.
If I understand right linq-to-SQL is a one time sync? So I have to sync linq and SQL in the beginning and end of game.
So I would create for each user a linq db and then all linq dbs would be synced in SQL?
Sounds difficult, but I will give it a try this we
Sent from my HD2 with NoDo using Board Express
win98 said:
I know linq as a local database.
If I understand right linq-to-SQL is a one time sync? So I have to sync linq and SQL in the beginning and end of game.
So I would create for each user a linq db and then all linq dbs would be synced in SQL?
Sounds difficult, but I will give it a try this we
Sent from my HD2 with NoDo using Board Express
Click to expand...
Click to collapse
Sorry, do you want to connect to a remote SQL database on a webserver, or a just store a database on the phone itself? If on the phone itself, you can create on database for each user (Mango only).
If you want to sync with a remote server, you will need to interact with the server using some sort of Web Services. Then the Web Services do the reading/writing to/from the SQL sevrer and send the information back to the phone (you can currently do this in Nodo).
It should not be local, if its possible.
I want to subscribe on a free SQL host like I've of these: http://www.free-webhosts.com/free-mysql-database.php
Then I want to do the user management there and want do update the level and skills of the user who is logged in. A bit like a windows live account with the gamer points.
I would be glad if I can use SQL commands with c#.
I hope it become more easier to understand . Thank you for helping.
Do you got any sample code or tutorial how to use SQL in wp7? I failed :-D
Sent from my HD2 with NoDo using Board Express
With NoDo, you can't directly access an SQL server.
And even with Mango, I'd be careful doing such a thing, it can really be dangerous on many levels.
The best solution would be to use a web service, which could be accessed from your phone (via the WebClient class) and would handle the dirty work of connecting to the database and executing SQL queries (eg. inserting or retrieving data and outputting in XML format). This way even if you alter the structure of your database you don't have to change a single line of code in the app (that means you'll avoid resubmission), but only the web service code.
As a general suggestion, handle the more things you can server-side.
SQL Protocols are not really designed to work over slow/unreliable connections like the Internet, especially when it comes to 3G and so on. So it really would be best to encapsulate everything into a WebService to which you then send the Nickname, Game and Score and which allows to get the top rankings as well as a given players rankings.
I guess we won't see the ability to connect to remote SQL Servers through ADO.Net as it most likely would lead to bad user experience anyhow.
StevieBallz said:
SQL Protocols are not really designed to work over slow/unreliable connections like the Internet, especially when it comes to 3G and so on. So it really would be best to encapsulate everything into a WebService to which you then send the Nickname, Game and Score and which allows to get the top rankings as well as a given players rankings.
I guess we won't see the ability to connect to remote SQL Servers through ADO.Net as it most likely would lead to bad user experience anyhow.
Click to expand...
Click to collapse
i am good in sql and there are free sql hosters, thats why i wanted to try it with sql.
so, the webservice, is this kind of php? can i also get some free hosters for these services?
i found in google some sample code, but i dont understand where the data will be "stored". Is this going to be like a "cloud app"
edit: grrr looking for "free webservices" in goog but i just find free homepage hosting sites
I find this topic really interesting because it tackles something I just can't wrap my head around: getting Windows Phone 7 to interact with a SQL database just doesn't seem like it's been explained in a straightforward enough manner.
For instance, my case is one where I need my app to extract info from a MySQL db stored on my website, parse that data and display each entry as an item in a pivot control. Turns out that no, SQL is not supported natively so I must go out of my way and recode my data into something that WP7 can understand; I read it's XML and that makes sense, so I have designed an auto-updating XML file on my website with data I want fed into the WP7 app. This is a workaround to connecting directly to a SQL database, as it only requires there to be a PHP file periodically creating an XML file with the info I need and it won't expose any SQL connection credentials, etc. I do not manage users on my site, so maybe win98 needs to find a way for WP7 to call a PHP page, send it a user ID or something and then retrieve that user's info. But any way, I think XML can work perfectly as a means to communicate between SQL and WP7 apps.
But, I don't know how to make this XML file populate the pages of my app. In Expression Blend I can import the XML as sample data, but it does this during design time and not at run time. This means that Blend can see my data and display it how I want it displayed, but I can't take this to runtime and have it displayed like that on the phone. So far, I haven't seen a single easy to follow step by step tutorial on how to parse information coming from an XML file on a WP7 app.
Any suggestions on how to overcome this hurdle we both face? I am familiar with web programming, but I know jack sh*t about C#, so Linq is greek to me.
Ok so I really got this wrong, that with Mango you get SQL and ports support so that you can remotely interact with an SQL server, with sql commands pretty much like you would do on a desktop and how you could do with WinMo ??
Best practices aside, You still get to do that with webservices ?

decent app for protecting files

i am looking for a decent app for protecting/encrypting files.
i tried several apps mentioned in this forum. none of them made me happy.
thx for the suggestions
Hi,
I would recommend Droidcrypt, and its going from strength to strength, I believe a trial Version is also available.
http://www.appbrain.com/app/droid-crypt/de.atm.android.security.encryption.full
Regards
I can recom a app with the name APG. it is using the open PGP standards (public key system). It is compatible to GnuPGP and PGP(the original pc version).It is also running on MACs, Windows, and Linux. So if you copy a encrypted file(can be any kind of file) from the phone to the pc, mc etc... you can decrypt it there also. It means you do not need to decrypt files on your phone before you move them to your pc or the other way around, from your pc to your phone. It also has an plug in for K9 mail. So you can on the fly encrypt all your emails, too.
I have tried so many other "crypt tools" most of them are not safe, or do have software flaws and do store your password. The pgp standard is considered to be unbreakable if you use a strong password, as the encryption is not made with your password but with RSA or one of the prof codes like AES, DIFFHellm. etc........
I took a look at the recom of Mr.Buzzboy. Droidcrypt is really a nice tool. AFAICS it will do all encryption well. A nice feature is the "wipe" capability, which is not included in APK.
Also the system integration is much better than APG. The bad news is it stores and caches the passwords and is not hacker proof even it uses AES but the implementation is not professional. However, it is good enough for most users here.
Strong recom!!
hope this info helps
greetings from SiChuan, China

[SDK] Promocodes for your app

Hello!
I'm software developer from Russia, and made one very popular app in local market. Very soon I realized that I need an ability to give licensed version of app for my friends or reviewers or someone else.
Unfortunately AppHub doesn't provide such functionality(private distribution is pain in ass), so I created a webservice for myself.
After two days I realized that it may be useful for other developers, so here it is:
promo.g33k.ru (here I wanted to post url, but I can't due to low post count. You may find it in my profile->interests)
Now it has:
- JSON/SDK with RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).
Now this service works in beta mode.
So for developers I have two questions:
1) Is such service useful for you?
2) How to develop it further, in which way?
Not yet clear
I am sorry, but after reading your post and also checking your website I am still not sure what you offer. For me there is just not enough information to understand and then judge the usefulness of your service.
Maybe you could give a step-by-step scenario: Dev does this, then interested user does that, dev then this ...
Ok, I'll try to describe a little more details:
1) Developer wants to add capability of promo codes in his app(to give some specific users full licensed app).
The first problem is that developer need his own server for checking of promo code validity(hardcoding is not an option, of course).
2) So, Developer registers in my service, add his app's guid to his app list and create a promo code for specific app via web.
3) Developer adds support for promo codes in his app by:
a) adding an text box for user to enter promode
b) adding a web request to specific URL for promocode activation
c) adding to his license check web request for checking is current user activated a promo code.
Benefits for developer:
- Add support for promo codes without owning a server.
- Simple way to give full version of program to friends
Benefits for users:
- User may found promo code for specific app somewhere and use it to get full version of app in simple manner.
Benefits for reviewers/portals:
- Developers can easily give promo code for reviewing purpose or as giveaway for news post.
Clear now
Thanks for the additional info, now it's clear
Well yes, sounds useful. Properly implemented is probably really easier than Microsoft's "closed beta" mechanism, and of course can be used for other, non-beta apps as well.
The icing on the cake would be a "frame application" as sample code that basically does nothing more than asking for a promo code and then check against the list of valid codes on your server.
Sounds intresting but how do you ensure security?
chabun, I thought about security and situation is same as with default checking for trial - there is no security Man-in-the-Middle and direct cracking of xap will work, and there is no way out. I could use RSA signing for MitM, but still cracking of xap is very easy option today, so no one really interested will try to use MitM. When WP8 SDK will be out(I believe it will be in several weeks) - some developers may implement trial checks in native code - this will be much harder to crack.
As for server part there are following possible problems
- App's ID squatting(same as domain, someone else could reserve developer's app's guid). Don't know yet what to do with this, may be think about it later when this happens?
- Promocode's for App ID bruteforce - could be easily avoided via server throttling, if this ever happens - i'll add such checks
- Server DDoS - every webmaster's nightmare, I hope this never happens(or my Amazon AWS will pour my purse empty
rbrunner7, nice idea, I'll add a sample app as soon as possible on site.
This looks like an interesting concept
Sent from my SGH-i917 using XDA Windows Phone 7 App
Yop, you can never avoid direct cracking... However, RSA signing would be good I'd say as it will avoid MitM - with MitM you could create simple tools which can be used by every noob outhere. Cracking xaps requires some skill and it will need an unlocked WP7 as well.
I can see this working i have been thinking about something similar also. You can encrypt the data on device before sending it off to the cloud, you can than verify the encrypted data with a password and compare it to the codes registered on the server. Than link a code to a certain device id (once the code becomes 'registered') if a certain code is already coupled to a deice id and the device is not the same than the app will jump back into trial mode. Otherwise one can use the paid mode.
This can defenetly work and will prevent reselling th codes. Although it requires a server. And users can still hack/patch the app ofcourse but that will require an unlocked device so I should not worry to much about it.
Also to prevent spoofing you can frequently check with the server if this device is legitetmately registered.
Marvin_S said:
I can see this working i have been thinking about something similar also. You can encrypt the data on device before sending it off to the cloud, you can than verify the encrypted data with a password and compare it to the codes registered on the server. Than link a code to a certain device id (once the code becomes 'registered') if a certain code is already coupled to a deice id and the device is not the same than the app will jump back into trial mode. Otherwise one can use the paid mode.
This can defenetly work and will prevent reselling th codes. Although it requires a server. And users can still hack/patch the app ofcourse but that will require an unlocked device so I should not worry to much about it.
Also to prevent spoofing you can frequently check with the server if this device is legitetmately registered.
Click to expand...
Click to collapse
That's what I thought of... private/public key
chabun, so, for example, how about following scenario:
for each developer server creates public/private key pair.
when checking license on server: if success server encodes userid with developer private key
when checking license in app: server response decoding via public key(hardcoded in app) and comparing to userId. if ok -> licensed.
You might want to ask @ngreader guys on twitter. They do have this concept implemented in their app.
diverofdark said:
chabun, so, for example, how about following scenario:
for each developer server creates public/private key pair.
when checking license on server: if success server encodes userid with developer private key
when checking license in app: server response decoding via public key(hardcoded in app) and comparing to userId. if ok -> licensed.
Click to expand...
Click to collapse
I'm not sure if it would be good to encode the request to the server as well but otherwise it sounds really cool now... I'll use this service when I need this (and tell my friends about it)
Here is one way to do it http://stackoverflow.com/questions/599837/how-to-generate-and-validate-a-software-license-key
wpxbox said:
Here is one way to do it http://stackoverflow.com/questions/599837/how-to-generate-and-validate-a-software-license-key
Click to expand...
Click to collapse
Well, what they suggest is not as good as diverofdark's service which is a lot more secure and still easy to use for the customers...
Greetings everyone!
Today I updated promo.g33k.ru, now it has:
- more detailed about page,
- SDK now includes RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).
- Many minor bugfixes.
So, from now this service works in beta mode
diverofdark said:
Greetings everyone!
Today I updated promo.g33k.ru, now it has:
- more detailed about page,
- SDK now includes RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).
- Many minor bugfixes.
So, from now this service works in beta mode
Click to expand...
Click to collapse
Thanks! I will check this out
Hey diverofdark
It would be nice if you update the first post in the thread with all information. That's the way it's usually done in the forum.
A possible user (here dev ) can read it and without having to browse the whole thread, he can use your promocode service...
Thanks for mentioning it, I updated the first post.

Completely secure phone

Hi,
the Replicant team made me aware of something.
Replicant is an Android fork ROM that emphasizes on security and privacy (e.g. they removed all Google services from Android).
This is their article I'm talking about:
http://replicant.us/2013/11/fairphone/
I think all the software is free now (correct me if it isn't). Links in benkxda's thread.
But what about the modem being embedded in the SoC? I guess that's the case?
That would mean the Fairphone is not completely secure.
So let's make ourselves heard that we would be happy to see the next device without a modem embedded on the SoC.
What the Fairphone has achieved in regard to openness and fairness so far is considerable and great! I'd like that to continue, so that's why I bring this up.
some security possible?
Unrelashade said:
That would mean the Fairphone is not completely secure.
Click to expand...
Click to collapse
Hi Unrelashade,
thank you for bringing this topic up. I think complete security is not possible - even the encrypted blackberry of cancellor Merkel was hacked.
But "some" security should be possible - and I think the main problem is me: The things I do wrong, the rights I give to apps and the way I do backup and data storage. So I kindly would like to aks you guys for some advice - How can I save my private data and also my companies data from data selling companies or a theft?
So I try a combination of:
* active sync of my data (e-mails, contacts, ...) with my own server (egroupware) - no sync with google or other free services
* encryption of phone storage with good password
* possibility to wipe my phone remotely in the case I loose it (not testet yet)
* Xposed & Xprivacy to limit data distribution by some apps
Now I have the feeling, that Xprivacy could kill the remote wipe - that would be very bad.
Furthermore, I am not familiar with the settings in egroupware - I did not find the remote wipe function yet or other active sync security features.
And I am missing a good backup methode - save and practical. Finally there may be a lot of things I do not know yet but I should take care of.
Could you help me to improve security in a reasonable way? Could you point me to a how-to with android and the egroupware ?
sidingFP said:
Hi Unrelashade,
thank you for bringing this topic up. I think complete security is not possible - even the encrypted blackberry of cancellor Merkel was hacked
Click to expand...
Click to collapse
You're right, secure is not the right word. What I mean is that most phones might be used as a remote spying device. There is a way to build them so that this is not possible and that's worth working towards as a goal, imo.
On security with Android in general there are probably a lot of good threads/ websites, e.g. see the posts of the xda portal (news) tagged with "say sayonara" (to google services):
http://www.xda-developers.com/tag/say-sayonara/
To me it sounds like the only step you need to take to protect your data is to uninstall/ not install Google Services. They're deeply embedded into Android but there are people who work for a Google free Android system, see my link from the OP to replicant or e.g. this thread by Marvin
http://forum.xda-developers.com/showthread.php?t=1715375
I'm not sure if the fairphone system that is downloadable is completely free of Google Services, you may want to check that.
The only thing left then is that the Fairphone is still a smartphone with the modem embedded on the SoC. That still makes it possible to be used as a remote spying device (see my OP) if I understand it correctly.

Audit my code please

Short version: I programmed a Windows 8 Oauth app. I didn't know where to post this, but it's mostly done in javascript and HTML so I figured this forum might be best. If others have time, I'd really appreciate it if someone would audit my code. Due to the nature of the amount my request, I thought it would be best to post a link to the GitHub repo. If this is wrong, please correct me.
GitHub: https://github.com/mepis/Windows8OauthAuthenticator
Long Version: I use 2-step for a lot of my accounts. The problem is, I'm lazy. I don't feel like getting up to get my phone after I set it down at night. I wanted a metro Oauth app for Windows 8. I looked on the store, but didn't recognize any of the developers. Due to the nature of Oauth, I choose to err on the side of caution and not use the apps. I'm not saying that other devs aren't well intentioned and good devs. I'm just saying that it's a better idea in the name of security that I not use the apps if I can't verify anything. So I decided to write my own.
That leaves another issue though. Due to the nature of Oauth, the token device shouldn't be on the same device you're putting passwords in. I'm choosing to ignore this a bit. I do recognize that tokens shouldn't be stored in plain text though in the Windows storage space. Instead, I push and pull the token from the Windows Credential Manager and the password vault.
I was thinking of running the tokens, labels, and account names through an AES algorithm and then storing that information in the credential manager. This would require a user password on opening the app though. I'm not sure I want to go that route yet, though it would be easily implemented later on.
The mission of this app is simple. I want to offer an Oauth app that is open source and able to be audited by the general public. I want others to have access to a free tool that they can trust and review. I will never charge for this app nor ask for donations. It's also posted under the GNU version 3 license.
At some point, I am thinking about porting this app to Windows Phone.
I'm very much a amateur developer though. I was hoping that others could audit my app, offer suggestions, and point out mistakes. I very much appreciate any help or time that any person is willing to offer.
While you may well get some takers, and some of them might even know what they're doing, you realize you're asking for something that is usually done by people who do this stuff professionally for hundreds of dollars per hour, right? It's like writing up a legal contract and posting it online and saying "do you think this will hold up in court?"
OK, training to be a security engineer doesn't take as long as training to be a lawyer. But there's *more* lawyers than there are security engineers, and our time is very much in demand (yes, I'm a security engineer; no, I will not audit your code for free unless I expect to have a use for it personally).
I'm not even sure what you mean by "OAuth app". OAuth is a standardized protocol (v2.0, RFC 6749, is more accurately described as a framework) for delegated authentication. For example, you've seen how a lot of web sites let you sign in using your Facebook account? That's because they use Facebook as an OAuth provider. The website delegates the responsibility of authenticating users to Facebook, which is handy for them because they don't have to handle passwords and so forth, handy for the user because many users already have FB accounts, and handy for FB because they gain information about what kinds of sites you visit and can use that to target ads. It also has downsides, of course; the OAuth client (web site) has to trust that FB knows what they're doing and to remain available, the user gives FB info they might not want FB to have and also ends up essentially re-using passwords across sites (a bad idea), and FB bears the cost and responsibility of managing all those logins.
Now, to make any authentication scheme (including but not limited to OAuth) stronger, you can multi-factor authentication (sometimes called two-factor auth or 2FA). The most common way of doing that is using Time-based One Time Password (TOTP, standardized as RFC 6238) security tokens, either in small hardware devices or in mobile apps. Is that what this is supposed to be? Because... that has nothing to do with OAuth.
I have a hard time imagining a situation in which I'd use a TOTP generator written by somebody who didn't know the difference between TOTP and OAuth.
Well, your response thus far has been excellent (I'm not being sarcastic). I need to read more about Oauth then. I must have my definitions and understanding a bit confused.
In actuality, to phrase it better, the application would be a TOTP app then - like Google Authenticator. I used Javascript provided by Google for the TOTP generation. The app itself is rather simple. My biggest concern though is the safety of the tokens. I used Windows Credential Manager to store the tokens on the device. I couldn't find much information about the security of Windows Credential Manager though. That's my biggest concern.
Other than that, thanks for the information. I'm going to do some more reading.
For what it's worth (and without having read your code), it sounds like you're doing OK; TOTP generators are not complex by themselves, and usually the only threat to them is in the secret storage (which you're addressing). Of course, most of them offer things like QR code scanning (as a way to load secrets more easily) and I don't know if you have anything like that or whether there are any security pitfalls there.

Categories

Resources