I am actually trying to write a small App where I intend to store the Names and Surnames of users in a Parse Server data base. I would need , for a define user , to read and get the Name and Surname of other users at some point.
I have read that anyone can decompile my APK and extract the App id and the Master Key . For me these values are stored in strings.xml , but I can't understand how I can store them elsewhere , as they are needed to connect to the server.
Is there a way to protect the decompiling in order to preserve the MasterKey? Or should I enforce ACL for those columns (Name and Surname added in the User class) and like read the Name and Surname of other users using Cloud Coud when I need it?
What would be the best practice to do that please?
DO NOT USE MASTER KEY IN A CLIENT APP
If your master key is compromised then your whole parse instance will be compromised. Instead, use class and object ACL to protect your data. If you need special queries that require master key, do it in server-side or cloud code.
Read this doc carefully: https://docs.parseplatform.org/android/guide/#security
There are some universal solution for "protect things inside APK".
Google APK reinforcement.
Related
I want to store a little bit of data on my server that can be accessed easily by anyone. It's for a game I am making and I want to store a few things such as:
Game version (String)
Description (Long String)
News (Array of Strings)
Changelog (Array of Strings)
etc...
I figured that making a whole database and table for this would be overkill. I would like to be able to access the information using various types of media but I at least ant it to work with PHP (web) and Java (Desktop and android). Also the data will be updated and inputted manually by only me but readable publicly so that other websites can use it if they choose. What would I use for this kind of thing?
Extra: I might eventually want to input data manually. Things such as "Players Joined" would be managed by my server and would increment it automatically.So if it can do that too that would be great.
I have decided to use a Database and access the data with MySQL. I already have one for my game so it is a good choice because of that (this means I won't be creating a whole database just for this). I will create a table that will store this data and the table will only have 1 row (ID = 0). I will access it by selecting the row with ID = 0. I will have to create other tables with news and changelogs too.
If you have a similar question to mine, check this out:
http://www.dummies.com/how-to/content/storing-data-with-php-flat-file-or-database.html
It provided some useful advice. Also look into JSON or XML and SQLite.
You might want to check out H2 database. It can run as an embedded database (just include a jar, no extra installation, etc.), is very solid and you can get up and running very quickly.
Is it possible?
I read about SQLCipher, but it seems to encrypt the whole database.
Is there a way to configure it to encrypt only specific parts of it?
A table or a field will do just fine.
In the end I didn't need to use SQLite or any other techniques for encryption, because I found out I don't have to store the app client's secret at all, just the ID which is public.
You could use expand the DBHelper and run certain queries through a simple encryption util like the one noted in this answer.
Or rip out the CrypoHelper from android-passwordsafe written by Steven Osborn.
My app uses a SQLite database for the information. I have a function that checks to see if the folder and database are already present, if they aren't it will go on the internet ( currently I am using dropbox to store the db file ) and download the database and store it on the sd card, then I it will open the database. The database is writable as it lets the user rate an object. I have two questions.
1.) I would love to provide updates to the database and then have my app update the database if the version number is higher and replace the existing one. I have done some research and from what I have found it is possible to store an xml or json file with the version number of and the just parse the information and if the version number is higher download the new database.
Can someone provide an example of how this is accomplished and whether it is better to use xml or json for this task?
2.) Is there a way to save the rating in the new version of the database when the new is downloaded and accessed?
Thanks
two nights ago I wrote something like that.
pack your database structure as an array in a webservice method by reading field names and field types. the structure of array is arbitrary.
call web service method and you must receive a string that represent a JSONArray object, if you sent it as json with json_encode() method in php.
read structure and make CREATE DB query string with for loops.
execute query, so you must have database.
also you can send alot of information with arrays.
introducing each part is hard, so for each part google it.
don't forget to convert field types to match SQLite types such as VARCHAR=>TEXT, smallint=>INTEGER , ...
I'm looking to use Google's App Engine (Java) to provide the backend to an Android messaging app I'm currently writing, I'm just starting out with GAP but have a little experience with Java (through Android).
The first time someone uses the app it will send some sign-up data to the server, this will stored in the GAE datastore, and a unique id returned to the phone (or an error message if something broken).
As I can't see something that looks like key = datastore.giveMeAUniqueKey or datastore.hasThisBeenUsedBefore(key) I guess I'm going to have to generate a random key and see if it's been taken (I'm not that sure how to do that to be honest).
Any ideas (either answers to the specific question, or pointer to useful "getting started" resources)?
Thanks.
If this value is not security sensitive (ie, it's just a user ID and you have some other method to authenticate the phone), just do an insert and take the key of the newly inserted entity. The datastore will assign a guarenteed-unique key automatically if you insert a new entity without providing one. Alternately, you can explicitly request an ID with the allocate_ids call.
If the value is security sensitive (it's a session nonce or something used for authentication), use the SecureRandom class to generate a sequence of random bytes. Do not use this as a key for an entity such as a user object; this would preclude changing the session ID if the user's session is compromised. Have a separate user ID used for that purpose, and use this secure nonce only for the authentication step.
Note that simply looping creating IDs, testing for conflicts, and inserting is not safe without using a transaction; it's easier (and faster, and cheaper...) just to use app engine's built in ID assignment system.
I have a application which require login,but the number of user who use the application is no more than 40. And In the application,I get some data from the sql server database where I juse have read permission,also I can not create a table in the db for user validate.
ALso I do not think it is a good idea to create a user table in other database on another machine.(for example,I can create a user table in the mysql another machine,but is it desireable just for user validating)?
Now I just save the user info in a .properties file,any other good idea?
BTW,the programe language used in my application is java.
I guess it is a good idea to save data in a file as XML. You save encrypted/hashed password in it as well. Every time a new user created append a block something like this
<users>
...
...
<user>
<username>first_user</username>
<password>some_obfuscated_password</password>
<permission>1,3,4</permission>
<otherDetails>some detail </otherDetails>
</user>
</users>
There are standard libraries to parse XML in almost all the languages. Should not be an problem. And, fi anyone sees the file, he can't get the password. You can use salt as well.
Store your data in a file; use operating system locks and unlocks before reads if multiple instances of the program are in use. If it is just one app, you may be able to get by with a mutex setup (synchronized method).