I am looking for ways to secure both ios/android and guard against Jailbroken/rooted devices,
Can you advise/suggest libraries that you have actually used in
production?
Is Certificate pinning worth doing? Looks like it can be
easily bypassed
Unfortunately there is nothing out of the box in XamarinForms/Essentials
Thanks for any advice
Related
I don't know if my app will work in China and I don't know how to test it. I had read somewhere that there's a firebase Chinese domain .cn in operation. Is there a possibility to transfer the current project to the Chinese domain and make it work, if it doesn't already?
If I create a new project and select the Chinese servers for my firebase services then will it have any other adverse consequences for the rest of the world? This solution would literally force all the developers to have the firebase servers located in China, just so they don't miss out out on their Chinese user base, which I assume could be an issue to some.
I might not have the best ideas but any suggestion and a workaround would be appreciated.
There isn't a simple way to do that. Indeed, trying to set the servers there might a be way, but it's not a guarantee, since China Firewalls are constantly changing. You can try some onlines tools as this one here to verify if your domain is blocked, by adding the URL of your application.
Besides that, the best option is the one clarified in this other post here. You would create an API in Heroku and make the data and calls from Firebase go over this API, so it would make the connection. Another option you may try is using a proxy server - as very well explained in the article Firebase: Accessing Firestore and Firebase through a proxy server - so it gets complied and it's possible to be used in China.
The usage of VPN is not a very good option, as not of them work in China and the ones that work can easily vary, also, this could impact the usability, since it might affect performance and usage for the users there.
To summarize, there isn't a specific and fully correct answer to using Firestore in China, due to the fact that updates and changes on their rules are regular, but these are some alternatives that you can give it a try. It's more about trying the one that would be less damaging for your use case.
Let me know if the information helped you!
Might be helpful for someone...
There is a Firebase alternative for China - Huawei Mobile Services. It contains services like Auth Service, Cloud Functions, Cloud DB, Crash, Push Kit, Ad Kit, and many more...
What are websites methods of collecting audio fingerprint? Is it by JavaScript or Java applets or flash plugin?
How to counter it?
Does it work on Android?
You can block them with permission settings
For websites there might be a security risk when using lesser known or less secure browsers. But Chrome for example allows you to manage permissions per domain or stop it all together:
https://support.google.com/chrome/answer/2693767?co=GENIE.Platform%3DAndroid&hl=en
https://ccm.net/faq/30701-prevent-websites-from-accessing-your-camera-and-microphone-on-google-chrome
On Android apps, apps need to explicitly ask for microphone access before recording anything:
https://www.avg.com/en/signal/guide-to-android-app-permissions-how-to-use-them-smartly
https://www.psafe.com/en/blog/prevent-apps-using-microphone/
If your concern is purely about your own security, the links I shared have steps for managing your privacy.
Edit: see my answer for the solution
Currently working on a Hybrid App with Ionic where there is a requirement to store an authentication Token in order to keep the user logged in, and also guarantee that this data cannot be accessed outside the App context.
There is of course plenty of solutions for this task, each one with different pros-and-cons so it's confusing (for me) to locate the one technology that fits.
I've been looking at angular-localForage and other candidates:
LocalStorage
Obvious choice for small data.
Data gets wiped in iOS when the system is low on memory.
IndexedDB
Buggy support in iOS (IndexedDB support)
WebSQL (SQLite)
Apparently a good option for small data and decent support (WebSQL suppport) but it's deprecated.
SQLite
There are related issues with Cordova in iOS.
LokiJS
Looks like an overkill for this scenario but is definitely a strong candidate. Is the any security concerns I should be aware of (as I read it locally persist data to JSON files)?
PouchDB + SQLite
Well, it's a JS client to work with CouchDB or Couchbase databases wich can also work with SQLite but again I only need to store a Token..
So apparently the best option for Android/iOS cross-compatibility should ironically be WebSQL, but is no longer being developed and I have to guarantee long-term support.
So my question is: are there any other options I'm missing to securely store an access Token? If don't, wich of the above ones should be the best choice for this task?
After doing some research I will share my conclusion.
Funny enough, none of the above candidates are suitable for securely storing an access Token. The approach should be using a native solution for both Android (Shared Preferences) and iOS (Keychain).
In the particular case of Ionic, a broadcaster plugin for Cordova could be used to communicate JS with Native so you can access the stored data.
The only secure way is using "httponly cookie". However, since april 2020 Apple uses wkwebview which has cookie problem.
SQLite is the best option to go with as the content of DB will be encrypted and saved. Also native apps rely on SQLite to save data.
To make CRUD easier with SQLite, I have created a wrapper library. Please check it here
Go for LocalStorage, it is the best way to store
Does anyone know of an AIR Native Extension (ANE) that allows you to access the device's notification sound(s)? OR, a method to query if the device is in "silent" or "vibrate" mode?
I've set up Push Notifications, but no sound plays on my (Android) device.
I know I can play my own sounds, but I want to use the native notification sound (the same as an SMS or email alert sound) and I don't want the sound to play if it shouldn't (viz. silent mode / vibrate mode).
I've been looking for hours and there's a "Vibrate ANE," and others looking for the same type of capability, but I haven't found anything usable for native sound notifications.
I believe that iOS automatically will play a notification sound when it receives a push notification (I think), but Android just flashes the "shade title" & shows the app's icon for the notification.
Maybe someone else has stumbled across a solution??? =)
Many Thanks!
Todd =D
I think you might have to be careful attempt to access the built in sounds on iOS.
We definitely could write an extension that played any of the system sounds. However I believe these sounds are copyrighted, and my understanding of the Apple ToS is that your application may get rejected from the AppStore if you use them directly.
This is why things like a notifications extension only use a "default notification" value to access system sounds that are set by the user. These sounds are played on certain system events.
The sounds are all accessed via undocumented IDs: http://iphonedevwiki.net/index.php/AudioServices
So yeah we’ve been very cautious of writing anything that could put developers in trouble with the AppStore. You have enough problems getting apps through as is. But if you read otherwise let me know.
I was wondering how IM+/IMO --multiprotocol web messengers would be able to support skype instant messaging without SC(Skype Client),even pidgin does support skype but SC has to be installed in case of pidgin.I am very curious about the imo web messenger.Do they establish connection using skype API(i dont know) or some other way... Any one who have idea/clue about how it can be done please let me know.
Any help is appreciated!!
Well, skype uses propriatery protocols, and there are some efforts of reversing them:
http://en.wikipedia.org/wiki/Skype_protocol
Update
It is now possible to connect through “Skype for Web”, allowing you to just use your browser to connect to the (clunky) web client.
Way better: a recent plugin for Pidgin lets you use it directly through Pidgin, effectively adding true support for Skype in Pidgin.