I am developing an android application. It does http communication with a web server. As of now, the web server IP address is hard coded. In the future, if I change to a different server with some other IP address, then I have to change the code. I know that probably having domain name/static address will solve this issue. But since my native app is specific for small devices, I need to find alternative easy solution.
As a solution, I am thinking of storing the key/value pairs in an online store service. So the app can query the online service for server ip and use the configured value. If IP changes, then I need to do modification in online service and need not change the app code. Is there any service which suits to my purpose?
Also are there any other better solutions to my requirement?
You can use keyvalue.xyz. It is cloud key/value store service with REST API.
Disclaimer: I have developed the system.
You might be interested in kvdb.io. It's a key-value store like DynamoDB or Redis, but with a much simpler REST API that you can use from Curl, jQuery or anywhere you can make an HTTP request.
Disclaimer: I built the service.
Your requirements really sound like dynamic dns, but to be specific on the key/value store, what about having some object storage on Amazon S3?
Overkill? Or maybe you don't want to spend money?
The good thing is that you would get a REST interface to your objects, so it works quite easily from an application point of view (Amazon SDK).
Sounds like you might want to look at a dynamic DNS hosting service. The service would handle the DNS updates if your IP address should ever change. Read up on
DNS on wikipedia or this great explanation on godaddy.com
Related
I have a GAE project and I would like to make requests to an external server. The server needs to whitelist the IP address but GAE works with dynamic IP addresses and the list is too long. I have been looking at 2 options:
1. Move the GAE project to Compute Engine
My biggest concern about this is the time it would take to move the project to Compute Engine. So far we've been using App Engine for free and we would like to avoid extra costs.
2. Use our domain to make the requests
We could white list the IPs ourselves and receive requests from the GAE project to our domain and then make requests from the domain's static host IP itself to their server.
For this option I'd also like to know if transferring the domain to GAE has any advantage. Will the outgoing requests from GAE through the transferred domain be made through the domain's IP?
Note:
This is largely based on assumption, I am highly inexperienced with networking so if there's anything that could be better expressed please tell me. I tried to search online for a way to do this but couldn't get to a satisfactory answer.
You don't need to think about domains in this context, because you're whitelisting IPs, not domains. And it's not necessary to move the whole project, you need only move that part that makes this requests.
Just create a proxy on any server with a static IP, like micro instance on Google Compute, and do all requests through this server.
As I understand you do all request to the same external server, right? In this case it could be even simpler. You don't need to install a full featured proxy, just install an Nginx on a micro instance (with SSL and some authentication, of course) that will proxy all requests to the target server.
I ended up using RabbitMQ to send messages from Google App Engine to Compute Engine, the compute engine then forward those messages as Http requests.
I am creating 3 applications that are written for different platforms (.NET (C#), Android (Java) and PHP). I'm using C# for the WPF application that is going to run on Windows PCs, PHP on the server side and Java for the mobile app. I am using a MySQL database where I'm storing all the information that 3 apps are going to be using.
I am using web requests to my Apache server (JSON and POST basically) when I need some specific stuff to do with PHP.
But, how safe is:
When I'm connecting to the MySQL database via C# and Java?
When I'm sending GET and POST web requests with C# and Java?
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database, or even get the post request parameters that the app is sending?
Because I know there are a lot of network-monitoring software and I wouldn't be surprised if this is possible.
If it is, then how to avoid it?
"How secure are Java and C#?" isn't quite the right question, because the answer depends on what you do rather than the features in the languages. They both have plenty of good options for implementing various types of security in various ways. What really matters in your case is how the machines communicate.
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database
Your clients (the PCs and Android devices) should not be connecting directly to your database. They should submit requests to your server, where you have much more control, and can authenticate clients and validate their data. The server then connects to the DB.
If the clients call the DB directly, not only are the credentials transmitted over the internet, but they must also be present locally on the client in some form. This means that someone could potentially crack your app and get access to them.
or even get the post request parameters that the app is sending?
Yes, these can be intercepted and read. Again, preventing this is a matter of how you implement the communication. Use the HTTPS protocol, which you can do in both C# and Java, and the content of your requests will be protected from being intercepted by third parties along the way.
When your traffic is noticed or intercepted it will be freely interpretatable to the reader. You can see an example of such traffic in the console window of your browser, or if you want to view the actual application traffic use a proxy (such as Fiddler2).
If you want to prevent your traffic from being read, you have to take measures to ensure authorization and access control. You can do this by encrypting the traffic with TLS/SSL. If you have web-endpoints you can often enable https trough the libraries configuration. You may need to pass it as a parameter to the code that builds your connection.
Furthermore, it is best practice not to divulge sensitive information in your application output. You will want to use strong passwords and refrain from storing or sending these in plaintext.
I would also advice you to break down the need for securing in smaller bits.
Example:
You are using a lot of different technologies. These all have best practices and guidelines related to security. Separate your applications from your networking/operational assets. Encrypting your communication is a measure in your application. Whereas your MySQL configuration works in a different way entirely, mostly trough configuration.
Why are you connecting directly to your DB from the Android/WPF apps?
If the MySQL DB is sitting on a secure server, perhaps wrap the database calls/services in RESTful APIs implemented in your PHP solution, then call the APIs from your client apps, this also saves you from writing SQL statements and DB specific tasks in multiple languages (Java/C#)
not knowing your situation makes it hard though...
Currently i have a website offering some product. The webserver sits on the same system as the database and directly accesses it to retrieve the required information for the HTML frontend. Now i think it is good to separate the database from the webserver via an API server. The reason why i want to use an API server is that it might be possible that future applications, other than the website, will need access to the information on the system.
The system which i want should consist of the following components:
A database which will store all the required information.
An API server which will be implemented in Java and should use oauth2 for authorizing user requests. The API server will have the only direct connection to the database.
A webserver.
So basically what i have in mind is that i want to build my website on top of that API server. The user will register/login/... over the website and the website implementation will internally query the API server as a webservice on behalf of the user. The API server would then return the data from the database. That way the HTML frontend is just an application using the API server and will never itself be in direct contact with the database.
I think that this is an often encountered problem for which a good solution exists. I am unsure if this solution is the way to go though. Could you help me out and/or point me in the right direction from here?
Thank you.
As far as I know, it is not advisable to have a separate API server for a couple of reasons: decreasing performance and increasing compexity of a system. So basically you should avoid this type of solution for as long as possible.
You should definitely read M. Fowler: "Enterprise Architecture Patterns" for inspiration.
Returning to your question: have you considered making this API layer as a module (library)?
If I haven't convinced you, try reading Java RMI documentation (http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html)
I have my website(in php) running in Yahoo small business and Application(in java) in Rackspace.com.both server has got mysql database.
I want to query my application database(in rackspace) from my website(in Yahoo) and get the result set.
How to do it?
Please suggest me reference document to do it.
Is it a good idea to directly query a remote database ? means is there any performance issue will rise ?
It's always a bad idea to remotely access data that do not "belong" to your app. In this case, the PHP app should access a set of functions that are exposed on the Java side. This is to make sure that when you upgrade the Java side, you may change the schema of the database without affecting anyone interacting with it.
I recommend you look into Web Services -- there are many methods (eg look for RPC, REST, SOAP), and some might be a better fit for your needs than others.
If you open the database port, it should be easy but unsecure.
If you can access the database port in a secure manner (for example vpn tunnel), it would be easy and secure :)
My suggestion would be to implement the querys as SOAP Services in the Application and access them via PHP. Google should provide enough Results about SOAP in both languages.
AFAIK
if you would like to use the java function from php you should implement the web services in java in any of the web service types
You can access web services from php using the cURL calls
We have come across two apps made on google app engine (java) and we need to establish a secure communication between then. Basically we have:
APP1: "Public" APP that provides data in JSON format based on requests in JSON format. The data is private, subject just to the specific request.
APP2: "Internal/Not public" APP that request data to APP1 in JSON format and needs to receive response in JSON format.
The scenario above is working fine, we have both apps communicating between each other. However, we need this communication to be secure and we need to identify (authorization and authentication process) that is really the APP2 that is requesting data to the APP1.
We have thought of many approaches but we haven't come across a final solution, I was hoping someone has implemented something similar.
1) We thought about using oAuth, building a "Provider APP" and making APP2 subscribing to our APP1 through this provider. The reason for us to have look at this solution, it's that maybe in future we will allow a third party app (APP3) to consume the data from APP1 in a subscription mode.
Regards.
Requests from one app to another will always have the X-AppEngine-Inbound-AppId header set to the AppID of the originating app. This header can't be forged by other apps or external services - it's sanitized by the App Engine system.
As an editorial note, though, it's rarely a good idea to separate your app into two separate apps like this unless you really do have an API that could be used equally well by external services. Organizing your app's responsibilities internally is generally much more efficient and just as effective at separating concerns.
This functionality is now built into the App Engine API. Apps can securely assert their identity to other apps.
ref:
http://code.google.com/appengine/docs/java/appidentity/overview.html#Asserting_Identity_to_Other_Systems