Good day fellow code ninjas,
I am attempting to make my Xamarin forms application be device unique in the sense that you are not able to login with your credentials on any device other than the one you initially installed the application on.
I have deduced that I should be using a guid for this purpose. I have searched online but I'm not able to find much of a guide on how exactly to use a guid to recognize a specific device.
Are there perhaps any resources related to this or any examples of code used to accomplish this?
There are a few layers to this question, firstly:
Can I Uniquely Identify A Device? No
You won't be able to get truly uniquely identifying information about the device such as UDID, IMEI. This is enforced by the platforms (iOS & Android) as a way of protecting users sensitive information.
This process is called Fingerprinting. There are 2 cases that the platforms want to avoid: Advertisers tracking users across apps, Malicious use of unique id's to target a user. In older versions of iOS & Android there were more API's to use to uniquely identify a user but they are being phased out as privacy & security have become greater concerns for mobile users.
What Are My Options?
Lets accept that we can never truly uniquely identify a device, there are some tricks we can use.
Secure Storage
You can generate a guid and place it in secure storage on the devices keychain. This keychain value can be persisted even if your app is uninstalled. You could use this approach to check if the app is unique to the user. There are pitfalls with this approach, it's not perfect but it's the approach myself and many other's use.
It is worth mentioning the behaviour across devices is very inconsistent. The iOS keychain can be backed up to iCloud (if encryption is enabled). Android devices can use slightly different standards across API levels & vendors.
iOS - identifierForVendor
iOS will generate a guid when you install an app, you can use this value instead of generating your own. See the documentation here.
The 2 drawbacks here are you'd need to implement this on a platform level and if they user deletes all of your apps, the guid gets deleted and a new one is generated when they reinstall the app:
The value in this property remains the same while the app (or another app from the same vendor) is installed on the iOS device. The value changes when the user deletes all of that vendor’s apps from the device and subsequently reinstalls one or more of them. The value can also change when installing test builds using Xcode or when installing an app on a device using ad-hoc distribution. Therefore, if your app stores the value of this property anywhere, you should gracefully handle situations where the identifier changes.
Edit 1:
Add further clarification: Explain fingerprinting & highlight some platform nuances
Related
I am considering building a Firebase + Flutter framework to small business solutions.
By providing a fairly high level of security, Firebase + Flutter seems quite good for a number of business applications especially based on Android.
However, for this to make sense I have to solve a few problems and I will be very grateful for help in any of the points below.
Is it possible to connect from within a firebase database via VPN
(mainly OpenVPN) to another database via odbc and/or through
webservice (strongly preferred odbc)? The goal is to connect
firebase with local databases in companies - especially MS-SQL
databases (mainly small ERP / WMS system). If this is not possible,
how can an equivalent effect be obtained? I also need a connection
from firebase to firebase to automatically download changes to the
framework from the main repository.
Many governmental and commercial systems require signing files with
a signature based on X.509 (mainly * .pfx, * .p12 password
protected). I would like all such a signature to be implemented on
the firebase server side (possibility of managing such
certificates). Are there appropriate libraries in firebase to sign
content in accordance with X.509? If not how to get the effect of
signing content in firebase + flutter and strongly prefer that the
certificate was not on the client.
In several places on the network I met the possibility of logging in
using a certificate compatible with X.509 or identical, but I do not
see such an option for selection in the panel in firebase? Is
X.509-compliant login support by Google in Firebase, and if not,
could I ask for a step-by-step link on how to handle it yourself in
two variants: a) external certificate , b) automatically generated
certificate by the client application.
Thank you in advance for your support
The subject of this question is so broad that I don't think its possible to answer on StackOverflow.
Generally Firebase is a set of cloud functionalities including databases, functions, authentication (and many more) that can be used in your mobile apps. One of the technologies that you can use Firebase with, but not only one, is Flutter which is engine using Dart programing language. But there are a lot of API from other programing languages like Java, JS, Python and many more. They might be different depending of the product you choose from Firebase.
Now pointing to your questions:
I am not sure what do you mean by "connecting from Firebase", but I suppose you mean connecting from your app. If you build the app in Flutter you will use Dart and it has VPN support of course like here.
Although I don't know much about X.509 I have found that dart will support it as well here example.
Authentication is one of Firebase enter link description here products. You can find there also custom authentication possibilities
I think all you asking is possible, but of course there is no simple answer for it. I hope it will help you.
Edit: see my answer for the solution
Currently working on a Hybrid App with Ionic where there is a requirement to store an authentication Token in order to keep the user logged in, and also guarantee that this data cannot be accessed outside the App context.
There is of course plenty of solutions for this task, each one with different pros-and-cons so it's confusing (for me) to locate the one technology that fits.
I've been looking at angular-localForage and other candidates:
LocalStorage
Obvious choice for small data.
Data gets wiped in iOS when the system is low on memory.
IndexedDB
Buggy support in iOS (IndexedDB support)
WebSQL (SQLite)
Apparently a good option for small data and decent support (WebSQL suppport) but it's deprecated.
SQLite
There are related issues with Cordova in iOS.
LokiJS
Looks like an overkill for this scenario but is definitely a strong candidate. Is the any security concerns I should be aware of (as I read it locally persist data to JSON files)?
PouchDB + SQLite
Well, it's a JS client to work with CouchDB or Couchbase databases wich can also work with SQLite but again I only need to store a Token..
So apparently the best option for Android/iOS cross-compatibility should ironically be WebSQL, but is no longer being developed and I have to guarantee long-term support.
So my question is: are there any other options I'm missing to securely store an access Token? If don't, wich of the above ones should be the best choice for this task?
After doing some research I will share my conclusion.
Funny enough, none of the above candidates are suitable for securely storing an access Token. The approach should be using a native solution for both Android (Shared Preferences) and iOS (Keychain).
In the particular case of Ionic, a broadcaster plugin for Cordova could be used to communicate JS with Native so you can access the stored data.
The only secure way is using "httponly cookie". However, since april 2020 Apple uses wkwebview which has cookie problem.
SQLite is the best option to go with as the content of DB will be encrypted and saved. Also native apps rely on SQLite to save data.
To make CRUD easier with SQLite, I have created a wrapper library. Please check it here
Go for LocalStorage, it is the best way to store
What are the pros and cons of Azure Active Directory to manage the accounts of a simple website (at most 10 accounts, just for login to control panel), instead of SQL membership provider or the new bogus identity system in my own database. I never tried this service before but I like the fact that I don't need to take care of the database and credentials of my users, it's free and very secure I guess. Someone has tested it in production? any security advise? thanks.
Among the many upsides there's that it is free, highly available, enterprise-grade and basically management-free - all flows for entering and changing passwords and similar are already implemented for you. Also, it can be used for both web sites and web API - so that if tomorrow you want to add a mobile app for the same user population, we've got you covered.
About having tested it in production... yes, there are many many (MANY) apps using AAD in production today.
I guess that one possible downside for such a small use case is that all the defaults are set to a higher security level than you'd probably use in your scenario, translating in a bit more involvement from your users: passwords templates requiring special characters, mandatory password expiration, and so on. Of course to me it's a good thing, but I am biased :-)
Another current limitation is that the user names must be of the form alias#yourADdomain, as of today you cannot use an arbitrary string. That's usually not a big deal, but calling it out in case you have preexisting user names you need to stick to.
HTH
V.
I am developing a flex 4.5 web based application and I need to make sure if the client chooses a certain level of security, each user can log only from an authorized computer.
So the question is how can I get some unique computer information? Anything like HDD serial number, CPU specifications, motherboard information, even the user that is logged into the Operating System can do.
So far the information on the web isn't giving me much hope that this can be achieved, but I had to ask.
Thanks in advance.
I suppose the only option available for web application is to create unique id from fields of flash.system.Capabilities class.
Other strategy which can be used is to generate unique UID in process of computer's authorization and then store it in local storage using SharedObject. Then web app tries to read authorization data from SharedObject on web app start. If there is no such data computer isn't authorized.
Richard is right. For security, unique identifying information is not available for applications running through Flash Player. You could write an Active X control (for IE) or a plugin (for Mozilla based browsers) to obtain additional information for your app if users (and their IT administrators) allow it. Information available will vary depending on the browser and operating system the user is running.
Adobe Air, on the other hand, allows access to additional network information including MAC address in the NetworkInfo class. Maybe it's worth considering an installed client app for users who require the additional security. Take a look at: http://www.adobe.com/devnet/air/flex/articles/retrieving_network_interfaces.html
This is not easy using a browser based Flex application, but there are some workarounds.
The browser based Flash Player can communicate with an AIR app on the desktop using localconnection. So, you could create an AIR app that utilizes NativeProcess to retrieve your machine specific information.
You could also use NativeProcess from a AIR app without using the browser at all.
A third option would be to install an application server on the client machine and have the browser based app communicate with the server to retrieve the client information.
I consider most of these options too difficult to be practical, but it depends on how important this feature is to you.
The Flash Player security sandbox will not let you read anything unique about the system on which the SWF is running, so I'm afraid this is not possible. The closest you will get is likely Capabilities.serverString along with maybe IP address, but the serverString property just lists all the capabilities of the client, which is obviously not a unique thing, and also might change from time to time for the same computer.
Warning: my knowledge of server-side scripting is limited to say the least.
This isn't a technical solution, but rather a different approach to your problem.
An alternative solution to would be to inspect the raw packet at the server in order to obtain data such as the IP and MAC address. Based on this the server can then deny or allow the login attempt.
I am used to working on embedded web servers running on micro controllers where C-based black magic is rather common, so I am not sure if this is possible or practical in a more traditional environment.
I need a custom multi-user multi-chatroom app to extend an existing Flex app that I have.
I obviously wouldn't like to develop it from scratch, but focus only on the customizations and integration.
Are there any products (free or commercial) that provide multi-chatroom functionality from which I could start?
http://www.adobe.com/devnet/flashplatform/services/collaboration.html
Have a look at Union Platform chat tutorial:
http://www.unionplatform.com/?page_id=1216
You can also check BlazeDS chat example:
http://livedocs.adobe.com/blazeds/1/blazeds_devguide/help.html?content=build_apps_3.html
I wrote an AS3 Chat Application that makes use of Player.io's free server package of 20 gigs of data transfer, other small limitations. The app is open source, and you can find the source code on GitHub.
The chat itself only uses one room, since it is averaging only around 10-15 users on at any time and its specialized to helping flash game developers, meaning it has a code storage area (simple database interaction), developer links, actionscript help, etc, but it does have some basic features if you want to see how I code them.
The chat itself has a few features you might be interested in checking out even if you don't use the source code, are such:
Support for authentication on server-side
Different types of users. (Currently overlord admin, admin, mod, developer, regular users)
Editable individual user data (Currently saves how long each user has spent on the app)
Server-side Silencing and banning individual users
Support for tags near usernames
Sound Settings on message received
Code box for users to share large amounts of text without spamming the chat
Support for multiple rooms (uses 1 public currently + 1 hidden for select users)
The server-side is written in C# and hosted on playerio.com and is supposed to be an authoritative server (meaning it checks all the client data and makes sure its valid before doing anything). The server code is also included on github.
If your interested you can comment and I will answer any questions.