I need to hide a value in a mobile (Android OS) application. As far as I can see, encrypting the value is of no use as the key to the encryption mechanism must be available to the program and is thus available to an attacker reverse-engineering the code. So, it seems that the only "solution" is to hide the secret value in the application as well as possible, obviously not ideal. Any comments? Am I missing something? If not, what's the best way to hide the value?
Thanks for your ideas!
Ewan
No matter what method you use to hide a value, he (his phone) has to have enough information to decode and un-hide it or it's not usable. There is no reliable way to prevent him from seeing it if you're allowing a device he controls to use it.
Your best bet it to simply abandon the delusion that this can be done, and instead focus on the probability that someone will even want to reverse-engineer your code, and mitigate the adverse affects for when it happens.
You might as well simply include the value in the app, perhaps lightly encoded (e.g. base64, etc) to prevent casual observers from seeing it. If anyone does figure it out, you'll probably never even know (or care).
If the information absolutely must be kept secret, then it absolutely must be kept off the user's phone. Instead set up a service (such as a web service) to interact with the information, but never actually retrieve it.
Related
HTTP_ACCEPTED_LANGUAGE allows a browser setting to determine the preferred language a website is displayed in (which can lead to some uncomfortable user experience do to mixed-language display when a framework is translated but the contents are not, or when it's only a bad auto-translation). I was hoping there was a way to display websites preferably in their native language if it is among my preferred languages, but there is a requirement I don't know whether it exists:
Can a browser be informed about a website's native language via HTTP? (Using the TLD, or worse, geolocation, doesn't count since that can be wrong especially for individual user-sites)
If you are asking about browser, the answer is yes. Just set the Content-language header on the server side and browser will know the language. The problem is, I don't think it will give you anything.
But you seem to be asking what is the real language of automatically translated web page. No, there is no such thing. And personally, I don't think it should be. I understand your problem, but there is no way to create idiot-proof protocol. The universe will just make better idiots.
That said, using automatic translation on the web site as default rather than optional is one of the most stupid ideas I've ever seen. Personally, I would not even attempt to use such web sites.
Especially Ctrl+I , which is "mail this page". I'm using wordpress self hosted. So far I've found this code, not sure how to implement it or if it's old.
Please no plethora of reasons as to why you find this attempt pointless.
Really, shouldn't answer, but:
There's no reason for this, because there's always a very easy way around it. It'll probably take a lot more work than whatever you end up with's worth. If somebody has half of a computer literate mind, they probably can get past this without a problem at all.
Summary:
Don't bother
Disabling hotkeys won't stop anyone from just selecting that option from the File menu.
People will always find ways around these kinds of hacks. Turning off JavaScript, hacking the source with Firebug, Option+Click on a Mac, taking a screenshot, etc. They are completely ineffective against anyone even slightly determined to do what you don't want them to do.
You can't really do that. See this page for really good information on the portability of various key events in JavaScript across multiple browsers. You will see for one that each browser handles/responds to various key events in many different ways.
Also, most of the default browser actions (e.g. Ctrl-F, Ctrl-S) cannot be canceled if you are capturing key events. You can still detect some of them and respond, but you can't actually stop the browser from displaying the search dialog or whatever specific action is to be performed by the key combination.
Also, if someone really wants to take your page's HTML/JavaScript code or content, these methods won't stop them. The disable right click code from the link you referenced can prevent right click, but all someone has to do is disable javascript and it no longer works.
I'm looking at allowing users of our online system to control their own .css files with us by simply including them on a user by user basis.
What is the best way to avoid any potential XSS attacks in said files?
Is it possible to completely protect ourselves at all?
It would be possible for us to host the files for them and obviously then check them ourselves but it would be more convenient for our users to be able to update them as well.
The problem with allowing CSS is that many clever attacks can occur. CSS can be very dangerous indeed.
Some CSS expressions allow executing arbitrary JavaScript. This is difficult to prevent by blacklisting, so I'd suggest whitelisting.
Additionally, someone may create a CSS file that changes the page to impersonate another site, another page, or maybe it cleverly orients other elements on the page. Imagine if someone were able to position their own login form above your real one. Then they could intercept login requests. Depending on how your site is set up, this may or may not be possible; but be forewarned! Some know this as clickjacking.
Firstly, exercise caution, as others have said. Beyond that though, try and white-list the valid inputs you'd expect in the file. See if you can locate any libraries for your chosen framework (you haven't mentioned what this is), that can validate a string for CSS structure compliance.
The other thing you might to consider is parameterising certain CSS attributes and allowing users to configure them (i.e. color, font etc). This would significantly mitigate your risk as it takes out the ability to arbitrarily create your own malicious CSS (and conversely, create your own innocent CSS!)
As for your original question "Is it possible to completely protect ourselves at all?", that's easy - no!
When making websites accessible, I usually assume that if someone doesn't have javascript, they don't have flash either. Is this true, or is there a group of users who don't have javascript but who would still benefit from flash embedded directly into the page?
I realise that it's technically possible, but I would like to find out whether there is a meaningful quantity of users in that situation.
Sure they will be a segment of users with such a configuration, but I suppose it will be very small. Only user which are afraid lots about their privacy disable javascript. These users will never install flash if they aren't forced to do so.
If you use progressive enhancement then you may not have to code explicitly for this particular (and probably vanishingly small) demographic.
Assume I have a form with some disabled checkboxes because the user as logged in shouldn't be able to check them. Where should I add some sanitization security to make sure they didn't hack the checkbox and cause a postback?
In the page?
Database layer?
In the database?
I realize it's most likely a pretty broad question.
thanks,
Mark
If you really need to make it secure, implement checks across all layers..at a minimum, start with the database and data access layer.
I prefer to make things the user can't interact with completely invisible when possible. You can't hack what you can't see (and I don't mean hidden on the page, I mean the server doesn't generate the code for the things not logged in users can't see).
That said, assuming you need to leave controls visible, but disabled, I would add code in both the front-end and the back-end to do checks. The front-end validation code is susceptible to hacking, but it is nice to have quick validation feedback available for users that are using the system - however, the back-end should be your real fail-safe place to make sure everything is as expected and do final checks before committing changes.
Unfortunately that sometimes means you need to duplicate the effort, but for really important stuff, it is worth it.
ASP.NET Event validation mechanism takes care of that. It's been there since 2.0, I think.