Basic Issue: In order to catchup with latest security trend, I need to update to AES-GCM from AES-CBC. Currently, I am using "crypto-js" library for encryption and decryption in my Angular application.
Web Crypto API: I found that Web Crypto API for performing AES-GCM encryption/decryption and the simple HTML, JS POC is working fine as for my requirement.
Problem with Web Crypto API in Angular App: Web Crypto API is promise based and introducing new promise based API into an existing, stable application requires lot of code changes which I am afraid of because this entire shift of approach in Angular app might affect the stability of the Live application and might introduce new critical issues.
So, I request anyone please suggest any of the below,
Any Crypto library which is capable of doing AES-GCM synchronously
Any way to make the Web Crypto API as synchronous which requires minimal code changes
I don't think there is a slam dunk solution for what you are looking for, however here are a few ideas.
There a few libraries that support AES-GCM and are synchronous:
The aes-256-gcm package is one, although you would want to research it's security.
If you are using something like WebPack, you can also use the built in Node Crypto library which can be polyfilled / packed into the browser. See this example. This is a little more complex, but more well-tested / evaluated from a security stand point. I have recently used this approach in VueJS app and it worked just fine.
Unfortunately no, there is no way to make the WebCrypto API synchronous. There is no concept of waiting / blocking the execution event loop waiting for another task to completely within JavaScript.
Related
Looking for an efficient way to implement interceptors in SwiftUI for any HTTP requests made on my app. The App uses JWT's to authenticate and fetch users specific data. As such I want to simplify token management and refresh using an interceptor. Have seen this be done in angular and was wondering if there is a SwiftUI framework or methedology to simplify the implementation.
Thanks!
I have looked into using Alamofire, however the framework looks outdated and I was unsure if it was still valid to use in a production setting.
Overall its been fairly difficult to find up to date resources in regards to this topic which has made it hard to experiment between different solutions.
The problem
I am following a Vue.js 3 tutorial on youtube and I tried to implement the app shown in this video.
Then I started improving it a bit at a time. You can view my project here.
One of the main features I am trying to add is a Hall of Fame component in which you can view the best ten scores of anyone who plays. You can submit your score just after finishing the game. I decided to use Firestore to hold the data.
However, suppose I build the app for production and host it in a server. Then, I can download the whole project on my laptop, change a little bit the logic, and then play it locally on my computer. That way, I can send any type of data to my firestore database (because my credentials are injected in the javascript by Vue). I can then just send the ideal score of 1 ms to hack the game (this is indeed what a friend of mine managed to do).
The question(s)
The question is: how can I prevent this from happening?
Should I make a few changes in the code about the firebase configuration?
Should I use some other way to store the data, and not firestore?
Should I config properly the firestore security rules?
Also, what are the best security practices in JS frameworks like Vue.js (or React, in general) to prevent the insertion of non-wanted data on the client side? How do I manage the connection to a cloud database from such front-end frameworks?
Disclaimer
I learn everything about programming on my own, by watching youtube videos or googling and so on. I am new not only to Vue and Firebase, but to web development in general. Please consider this when answering.
TL;DR;
If the score is calculated on client-side (in browser) you can't secure it.
Anyone can just see the API call being made from the app to the server and replicate that with rest API tool like postman, so you wouldn't even need to download it locally to make changes.
If your game relies on client-side as a source of data, there is no way for the server to ensure that it is un-tampered.
You can try obfuscating the source code and doing client-side data encription, but it's all in javascript so everything is readable.
If you were to implement it in a more secure way, you would have the server trigger an action (as opposed to the script) but then the times would end up being longer because of the data turn-around time. Since the event fired from server to client and back would be reflected, but even then the automated response can be hacked by handling it with a script.
I'm developing an on-site WinRT application and would like to send push notifications when a new update is available (since it's an on-site app, the installation process requires a custom loader rather than the Windows Store app).
However, I'm trying to wrap my head around how such a system should ideally function.
I could obviously create a service which returns the latest version number and the app would periodically poll the service for that info. It would be easy to implement, but it seems like a very ugly approach (the need to send constant requests for the latest version doesn't seem like an elegant one).
I have the power of Azure at my disposal. Obviously a Notification Hub would be the preferred way. HOWEVER, I have no intention of getting a Windows Store account purely to develop a "private" on-site application. So using the Notification Hub is a no-go.
I've thought about using topics. This WOULD work, but every client would probably need to be added as a subscriber. While technically possible, the administrative overhead could be a major issue. I also thought about creating the subscribers dynamically by the WinRT application itself. However the SDK (Azure Messaging Managed) for handling this is too old and always throws an error (invalid date format, which apparently was changed at some point) when creating subscribers. The only "current" package from MS seems to be for the full .NET framework, not the limited WinRT counterpart.
I'm looking for ways around this problem. Either a newer, proper SDK (which can handle listing and creating subscriptions as well as receiving topic), or perhaps a completely different approach to the problem.
Note - I don't need any code just yet. Pseudocode or simply a description on how the communication would work should suffice.
For a limited scale deployment, Service Bus Topics may quite well be a feasible choice. Or you may want to take a look at IoT Hub as an alternative push notification channel.
The new Service Bus client SDK for .NET Standard lives this repo, but we do not build binaries as of yet: https://github.com/Azure/azure-service-bus-dotnet
I am pretty new to stuff related to server and backend services and I want to develop a mobile app with a backend part. I want this backend to serve an ios app, an android app as well as a website.
My concerns today are how does the frontend part communicate with the backend part :
does it work the same way a website works ? (Http request to the server ?)
how does happen the exchange of datas between the frontend and the backend ?
which are the common solutions to my problem ?
is there an efficient way to desing this backend to serve mobile apps as well as a website ?
is parse (https://parse.com/) a good starting point ?
Thanks
Looking at your questions in turn:
does it work the same way a website works ? (Http request to the server ?)
There are many options, but probably the most common, or fashionable, at the moment is to use a RESTFUL interface:
http://en.wikipedia.org/wiki/Representational_state_transfer
Previously, a SOAP based web service might have been the most common choice:
http://en.wikipedia.org/wiki/SOAP
See here for some discussion on why you might use REST rather than the SOAP now:
Why would one use REST instead of SOAP based services?
how does happen the exchange of datas between the frontend and the backend ?
Assuming REST, HTTP is used to transport messages and application data is typically included in XML or JSON forms
which are the common solutions to my problem ?
I think this is covered by the other parts of the question/answer.
is there an efficient way to desing this backend to serve mobile apps as well as a website ?
Thats very dependent on your particular server application, especially its size and architecture. If the server application is broken down into components or parts, and the parts that generate the 'views' or the 'HTML' pages for the web app are distinct and well separated from the 'backend' parts of your server application, AND your application is of a type that the functionality is largely the same whether the end user is using a web site or a mobile and it is just the way the view are generated for the different devices that differs, then an efficient design would be one that keeps as much of the backend common as possible. If the use of the application is very different when used by a mobile client this may not make sense. More generally, an efficient design would keep as much functionality as possible common between the Mobile and Web applications.
It would definitely be worth becoming familiar with the 'Model View Controller' architectural pattern as most of the server side frameworks, as well as many of the Javascript Web client frameworks and even the iOS and (to a lesser extent) Android frameworks use these concepts:
http://en.wikipedia.org/wiki/Model–view–controller
One important considerations whether you need 'push' or notification like functionality on your mobile app. If so you may want to look at some of the common solutions to understand if they meet your needs - probably easiest to start with Apple and Google's offerings to get an understanding, but there are lots of other solutions available also:
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html
http://developer.android.com/google/gcm/index.html
is parse (https://parse.com/) a good starting point ?
I am not familiar with this service but you might be better looking at a simple REST based approach first and see if it meets your needs.
To answer your question
is parse (https://parse.com/) a good starting point ?
Yes it is.
But I would recommend you to read well on topics such as
REST services
RESTful services vs SOAP - a good article
REST/JSON vs REST/JSON
Services such as parse are called Mobile Backend as a Service (MBaaS).They are ideal to quickly create web services for mobile developers who have little experience with backend development.
A quick search on google on 'MBaaS' will return many services similar to parse and most offer free developer accounts. (With a certain Number of free API calls per second/app)
I have used Apigee similarly & the open source equivalent is Usergrid.
These services will provide a GUI for the developer to create & deploy services and the services are immediately available.
Separate test & production end points will be available.
In addition to basic CRUD operations, these services will also enable easy social network integration, caching & analytics (Depends on service provider)
Features such as security, scalability are built in by the MBaaS provider(Like Parse).
I am creating a client program that calls various APIs, one of which is the Evernote API, through purely HTTP calls, without the use of any SDKs provided by Evernote. I realize that this makes my life harder, but it makes the lives of the users of my product much easier.
So far I have been able to authenticate with oauth 1.0 to the Evernote server. However, it's not immediately clear how to make the HTTP call after I have the oauth_token.
Where is the endpoint to make API calls to create a note on an oauth-authenticated Evernote user account? What are the url parameters for such a call? Or, what are the requirements to include in such an HTTP request?
Does Evernote use HTTP to make such calls anyway? If not, what do they use?
Do I have to format the note in XML format, or does it accept JSON as well?
Evernote does not have a RESTful API. According to the CTO, it's due to a requirement to shuttle very large amounts of data and HTTP is not efficient. There is a project on github aiming to implement a RESTful API for Evernote.
https://github.com/ttddyy/evernote-rest-webapp
CTO's Reasoning:
http://blog.programmableweb.com/2013/10/03/is-evernotes-restless-api-approach-a-model-for-other-api-designs/
I haven't used Evernote in years and never used the API.
Evernote uses thrift which can be a bit tricky to deal with. This choice is explained in this blog post. I really advise you to use the SDK as it hides all the thrift complexity.
As mentioned above, a rest wrapper is available on github. It seems very cool but it's new and not official. Use it at your own risk.