I'm thinking of using an MBaaS such as Firebase or Kinvey for my next app, and am wondering if any exist which encrypt application data end-to-end (i.e. such that the encryption keys are never shared with the service provider). This seems feasible in theory, since the server is not expected to do any computation on the data, only store it and deliver it to clients.
Does such a service exist? I've found ZeroDB and Crypton, but neither are available as services AFAICT, which means I'd have to administer, scale, and back them up myself. I also thought of using something like Firebase and encrypting my app's data before I pass it to the Firebase API, but I'm wary of writing a one-off crypto layer like that unless I have to (i.e. I'd rather use something that's been peer-reviewed).
Alternatively, if no such service currently exists, why not? Is it technically infeasible, or is there just no market for it?
Edit: This seems closest to what I'm looking for, but considering the broken links on their website I'm guessing it's defunct: Adreneline Mobility
The answer to your question is actually available on the market. CloudMine offers end-to-end encryption (disclosure - I work at CloudMine). They have a largely healthcare focused offering so it has to stand up to HIPAA and other government regs around data security.
Here's a good overview video on security featuring CloudMine's CTO. The first 45 sec. provide some more information on our encryption techniques.
I know I'm being the "sales guy" right now but I'm happy to hop on a call to share what we've built and discuss your specific use case. You can email me at nick at cloudmineinc.com if you're interested.
Virgil Security (full disclosure - I work there) has an end-to-end encryption SDK that works for any endpoint, and also has a special integration with Firebase. It's open source, of course. Check it out and feel free to ask any questions of the team here or on Slack - https://e3kit.readme.io/
Related
I am considering building a Firebase + Flutter framework to small business solutions.
By providing a fairly high level of security, Firebase + Flutter seems quite good for a number of business applications especially based on Android.
However, for this to make sense I have to solve a few problems and I will be very grateful for help in any of the points below.
Is it possible to connect from within a firebase database via VPN
(mainly OpenVPN) to another database via odbc and/or through
webservice (strongly preferred odbc)? The goal is to connect
firebase with local databases in companies - especially MS-SQL
databases (mainly small ERP / WMS system). If this is not possible,
how can an equivalent effect be obtained? I also need a connection
from firebase to firebase to automatically download changes to the
framework from the main repository.
Many governmental and commercial systems require signing files with
a signature based on X.509 (mainly * .pfx, * .p12 password
protected). I would like all such a signature to be implemented on
the firebase server side (possibility of managing such
certificates). Are there appropriate libraries in firebase to sign
content in accordance with X.509? If not how to get the effect of
signing content in firebase + flutter and strongly prefer that the
certificate was not on the client.
In several places on the network I met the possibility of logging in
using a certificate compatible with X.509 or identical, but I do not
see such an option for selection in the panel in firebase? Is
X.509-compliant login support by Google in Firebase, and if not,
could I ask for a step-by-step link on how to handle it yourself in
two variants: a) external certificate , b) automatically generated
certificate by the client application.
Thank you in advance for your support
The subject of this question is so broad that I don't think its possible to answer on StackOverflow.
Generally Firebase is a set of cloud functionalities including databases, functions, authentication (and many more) that can be used in your mobile apps. One of the technologies that you can use Firebase with, but not only one, is Flutter which is engine using Dart programing language. But there are a lot of API from other programing languages like Java, JS, Python and many more. They might be different depending of the product you choose from Firebase.
Now pointing to your questions:
I am not sure what do you mean by "connecting from Firebase", but I suppose you mean connecting from your app. If you build the app in Flutter you will use Dart and it has VPN support of course like here.
Although I don't know much about X.509 I have found that dart will support it as well here example.
Authentication is one of Firebase enter link description here products. You can find there also custom authentication possibilities
I think all you asking is possible, but of course there is no simple answer for it. I hope it will help you.
I'd like to know if it is possibile using waze's API about the community like danger points for an external app and integrated them with some our features.
I'm afraid Waze has strict rules concerning to who they expose the reports sent in by users. They provide a feed of reports for specific areas through the Waze Connected Citizens Program (CCP), but this program is generally only available for governmental institutions or road authorities. Generally the program also expects a dataflow towards Waze (road closures, for example).
That said, I don't work for Waze and I don't know all the details of the app you are working on. Depending on the type of app you are talking about, they may like to collaborate. You could always try to apply as a CCP partner and perhaps they may make an exception. Just be aware that while Waze has a lot of users, it is actually not a very big company so support queries may take a while to get a reply.
Note that it is technically possible to scrape the information from the Waze Live Map, but I'd strongly advice against doing that without permission as it could lead to legal actions.
After some time being working with Restful APIs I would like to know a bit more about their internal functionality.
I would like a simple explanation about how the API`s get access to the data that they provide as responses to our requests.
There are APIs, for example weather API`s or sports APIs that are capable to provide responses with very recent data (such as sports results), I am wondering where or how they get that updated info almost as soon as it is available.
I have seen here on SO questions with answers pointing to API design tutorials, but not to this particular topic.
An API is usually simply a facade (or an interface if you prefer) to some information resource. The idea behind it is to "hide" any complexity from the user, to unify several services to a single access point or even to keep the details about the implementation of the actual service a secret.
This being said you probably understand now that there can't be one definitive answer to the question "where do APIs get their info from?". But some common answers are:
other APIs
some proprietary/in-house developed service/database
etc.
For sports APIs - probably they are being provided by some sports media, which has the results as soon as they get out, so they just enter them in their DB and immediately they become available through their API.
For weather forecasts - again as with the sports API they are probably provided by a company dealing with weather forecasts.
If it's easier for you you can think of the "read-only" APIs as rss feeds in a way.
I hope this clears the things a bit for you.
You could have a look at Stack Share to see what companies use for databases and whatnot. But there isn't a universal answer, every company uses whatever works for them.
This usually means that te company has its own database in which the data is stored. But they might also get their data from another company.
But a 'database' is not just SQL, maybe they use unstructured data or any of the other options to store data.
That's where the "whatever works" comes from. The company chooses a solution they go with which best fits their needs.
For our messaging app, if we send user messages directly to CloudKit (without doing any of our own encryption), can we claim that our app is end-to-end encrypted, "where only the communicating users can read the messages"?
Matt,
I presume/assume this is a coding question? So I'll answer with a coded answer :)
You can offer your guarantee that messages are only readable by communicating users by encrypting the messages using public/private key pairs. Technology that has been around for more than a while now. This discussion talks in detail about the process.
Search for "Swift RSA Public Key Encryption Howto" on https://forums.developer.apple.com forum.
I know this is an old and somewhat controversial question, but I thought I'd lend my two cents on the subject.
After some quick Googling, the most authoritative public and user-facing answer to this question I've found is on Apple's Privacy page. See the section on iCloud, which reads,
Your iCloud content [...] is encrypted when it’s transferred and when it’s stored on our servers.
It then talks about CloudKit.
That sounds pretty end-to-end-ish to me.
However, they go on to state that "some personal data, such as Home and Health data, is stored with end-to-end encryption." This contrasting passage does not bode well for your "We're end-to-end encrypted!" requirement, unless the quote above suffices for your purposes.
For my own present project, it does, as my data isn't necessarily business-class levels of sensitive; I don't need full control over what and how everything is encrypted. My biggest concern is that I, the developer, cannot see my users' data. This, CloudKit enforces for me, whereas tools like Firebase do not.
That is all.
Happy Googling! 😊
I've been reading about Firebase and playing with it for a short while. The idea (BAAS) and implementation are impressive, and having programmed with Javascript it seems a viable choice. Not having to deal with scaling and other server side concerns makes it even more attractive.
My question is: generally speaking, is Firebase a first class back-end candidate for any average data-based application? e.g. billing, CRM, e-commerce, social, location based, etc. I do not include super light or heavy extremes such as a basic chat, or a nuclear plant monitor...
The answer may not be a clear yes/no, but was it built to support the general application space, or just stand out as a real-time read/write data service?
Would appreciate answers based on experience and existing production applications.
Thanks
Yes, Firebase is intended to be a first class back-end for any data based Web, iOS or Android application. The service offers real-time data reads and writes, but also comes with a powerful and flexible security system that allows you to write secure client-only apps, without needing any server code to enforce data boundaries.
There are several apps in production listed on the front page as customer and on the app showcase page on https://firebase.google.com/customers/
Firebase is now more capable and is considered as a full stand-alone back-end, especially after the introduction of cloud function. https://firebase.google.com/docs/functions/
Firebase may not have support for transaction spanning multiple business objects.
e.g. When a sales order is booked then it needs to update inventory for multiple items, update billing in receivables, give sales credit to multiple sales persons etc.
Firebase team is supposed to come up with a database trigger option which will make all these happen.