I've just started learning ionic framework. It uses web browser capabilities for building apps.
These capabilities namely HTML, javascript and CSS are client side stuff. Which on browsers can be seen with view source.
My questions is how will be the visibility of the source? Will the end user be able to see the source of the app?
If yes, is it normal for any app? Shall one be worried about the security of the source?
The visibility of the source in chrome://inspect#device , is pretty much the whole application. And no, end user cannot see the source of your application once you set and push the project to production mode.
Well, since you are developing a hybrid application, there are of course, pros and cons for each. Security might not be as strong as native apps, but development time is greatly reduced to push the app to different platforms.
If you would to do something would requires high security and non-visibility of your source , then native is the way to go. As for hybrid apps,if you need somewhere to store your data securely, you will need plugins to communicate with native platform's secure storage which might pose a security risk. But then again, even native applications can be de-compiled. The way developers tries to make it harder is via obfuscation methods.
Once u set your application to production mode, you will not be able to inspect your application anymore.
To show your web-app on chrome://inspect/#devices :
1) Make sure your web-app is running and your phone is plugged into your computer via usb with USB debugging on and your PC is trusted by the phone.
2) Under device manager, you should not have missing phone drivers. (it would look something like this)
3) ADB should not be running co-currently. And you should be able to see something like this on ur inspect page:
4) Click on inspect button and you're done! (:
You have a signed apk, when you install it on a device and inspect the device on google chrome the inspect option will not be available. Theres an easy way to do that decompile the signed apk using apktools you will get the AndroidManifest.xml file. simply add android:debuggable="true" to the tag and recompile it resign it and you will be able to inspect it. If you check the main.js file in the inspect section the source code is visible.
Hence you can use Jscrambler to prevent this (Its a paid service i too am new to it)
Related
I would like to access a special hardware (a penta scanner, for the wisest ;) ) from a web page.
The aim is to retrieve the information from the scanner and compute it on server side.
The problem here, is that I have to summon functions from a DLL that has to be on the client side. I have two leads for that:
Develop a COM DLL and use ActiveX
Try to get through a homemade extension for a web browser in order to communicate with the local DLLs.
I've tried the first option, and I got stuck and I've posted another thread about it. Anyway, even if it works, there are too many constraints about it (as to use IE or the fact that even Microsoft is not fond of this feature and banned it from edge).
The second method is something that I found on another forum but, I do not understand how I can interact with a browser extension (whatever the browser).
So what I am asking is:
Is it possible to use a web browser extension as a medium to a local DLL and if so, would you be so kind as to give a hint about how to do ar anything that might look like a start about how to do it (even just some key words to use on google, since mine didn't get anything)....
Thanks.
Based on my understanding, the motive to develop an Extensions is to enhance the feature and functionality for particular web browser.
You cannot control any hardware devices like printer or scanner with it.
So if your goal is to control the scanner from your web page with the help of any kind of extension than I think you cannot do this with Extension.
Here my problem, i create a couple mini game for windows 10 (PC, phone, Hololens UWP, ...), but now i would like to make a launcher to gather all my games, like steam (for example).
But, according to Microsoft, it's impossible to launch a .exe or even .msi from UWP app -> ("This API also imposes several restrictions on what types of files it can launch. Many file types that contain executable code, for example .exe, .msi, and .js files, are blocked from launching. This restriction protects users from potentially malicious files that could modify the system.
")
And now i search a solution, maybe with the FullTrustProcessLauncher Class but i dont know how its works :
https://learn.microsoft.com/en-us/uwp/api/Windows.ApplicationModel.FullTrustProcessLauncher#Windows_ApplicationModel_FullTrustProcessLauncher_LaunchFullTrustProcessForCurrentAppAsync_System_String_
if you have an idea, a solution or even an exemple, I will be thankfull
Best regards
PS: sorry for the bad english, i'm french ^^
You can accomplish this by supporting a custom protocol in your games. Then your launcher app can launch them via that protocol by using the LaunchUriAsync API:
https://learn.microsoft.com/en-us/uwp/api/windows.system.launcher#Windows_System_Launcher_LaunchUriAsync_Windows_Foundation_Uri_
Sorry, that is not going to work.
"FullTrustProcessLauncher Class
Activate the full-trust Win32 component of an application from a Universal Windows app component in the same application package."
In other words this is to run a Win32 component of the current application.
Since Microsoft wants UWP to be more secure, your best option is probably to bundle your games together in one bigger application. Have the start page / form be a menu of the games, then switch to another form for each game.
Name your classes, forms, resources carefully so you know what game they are for -- ChessMain, ChessForm, chess_logo.jpg; CheckersMain, CheckersForm, CheckersPlayerTurn.
I have a hack way that may help to launch the exe in uwp.
If you want to use the win32 dll that in other directory,please get the LoadLibrary that can use it.
You can use
MEMORY_BASIC_INFORMATION info = {};
if (VirtualQuery(VirtualQuery, &info, sizeof(info)))
{
auto kernelAddr = (HMODULE)info.AllocationBase;
auto loadlibraryPtr = GetProcAddress(kernelAddr, "LoadLibraryExW");
// load your library here ...
}
to get the loadlibrary and use to loadlibrary the dll.
See https://hjc.im/3-ways-to-bypass-wack/
Ms use the PE and P/Invoke to judge whether uwp use the not allowed dll.
So you can use the loadlibrary to load it.
You can launch the exe by win32.
But it may work today but it might break tomorrow.
I have website link at which I have designed a html/javascript web app. I used iOS and Android app to create an app that encapsulates the web app.
Is there a way to block access to the website link and only allow access to the website link only thru the native apps calling the link.
In short safari, IE, Chrome must not be able to access the link, but the iPhone & Android app should be able to access it.
Is there some way to tell that the app is accessing the site and not the phone or pc browsers.
I am sure there a number of ways to implement this.
Thanks,
It depends on how is the web app implemented. Since native Web Views are pretty much the wrapper for the standard browser (Safari/Chrome), you will find it tough to filter it based on that.
What you can do, however, is to add an extra GET variable (for ex. &ref=youruniquecodehere) or a custom User-Agent, based on which you will be able to identify, whether your application authorized the request (with a proper access code) or if it's a generic request using browser.
However, both of these options can still be bypassed if researched, although it'd require slightly more time. Not sure whether a solution that would work in 100% of cases exists.
Hope that helps, please correct me if I'm wrong.
I've developed interactive content for a client ( VR Objects ) using javascript and Flash (if needed) that they now want to distribute to prospective customers via a flash drive. That makes it local content causing security issues especially with IE. Actually there doesn't seem to be much problem with any browser except IE. True, IE displays the "allow blocked content" button but they fear that is too complicated or scary. And on IE11 in Win 8.1 it still may not work.
The development environment I use has a way around that for testing using an "embedded web server" although all that seems to do is produce a localhost address such as http://localhost:60331/wyj-01xn/output/surfacide_flash.html. Paste that in the URL bar of any browser on the same machine and you are good. Try it on another machine and no go. So I gather the port address and whatever the /wyj-01xn/ is about are machine specific. Another possible problem -- it may not work easily with IE11 on Win8.1, but I don't personally have that setup to test.
QUESTION: Is there a way I can produce this same functionality for my client, distributed along with the content on the flash drive, without the need to install some special software (local web server) on each client computer??? The current workaround is to tell customers they should us any browser except IE. Client isn't happy.
You could distribute your webpages along with a portable Nginx server, or wrapped inside a Node-webkit or AppJS package.
I am wondering if there is a way we can achieve this. I heard different things about Silverlight 4, JavaScript or ActiveX control, but I have not seen any demo of code for any of them.
Is there a web component that is available or how can I write one?
We really like to capture a client's USB drive via the Web and read/write data on it. This has to work for any operating system in any web browser.
What about WPF in browser mode? I read that I can host my WPF applications inside browser and sort of like smart client.
Here is a great example of doing this via Silverlight 4, but the author mentions about possibility of accessing USB on Mac via:
Enable executing AppleScript scripts.
This option will let us have the same amount of control on a Mac machine as we do on a Windows machine.
Add an overload to ComAutomationFactory.CreateObject() that calls the “Tell Application” command under the scenes and gets a AppleScript object.
This option would work extremely well for Microsoft Office automation. For any other operating system feature, you’ll have to code the OS access twice.
I did not quite understand it. Has any tried this?
Web browsers are deliberately isolated from the filesystem for security reasons. Only Java (not "Java Script"), Flash or browser plug-ins can accomplish this.
JavaScript cannot directly access your local disk (including a flash drive) for security reasons (would you really want any web site you look at to access, change, or even delete your files?), and ActiveX controls are IE-specific, so you should probably use a Java applet (not JavaScript). While Java's security policy normally does not allow access to local disks, signed applets can with the user's permission.
If you're willing to introduce a dependency on Flash (10), you can use the FileReference class to get access to one file at a time, first for reading using the browse method, then for writing using the save method.
Note that for security reasons, each call to these methods must be triggered as a result of user input (e.g. clicking a button), and each time they are called an OS-specific File Open/Save As dialog box is displayed.
There's a video tutorial which gives some sample code for editing a text file (load + save) directly in Flash, without needing any server-side help. It should be enough to get you started in the right direction.
What about WPF in browser mode...I read that I can host my wpf apps inside browser and sort of like smart client.