How do I hide my private API keys in/for my webOS - Enyo based apps?
My development has basically come to a halt because of this issue.
Since webOS Enyo (as well as Mojo) is coded in Javascript, any user can plug their device in and easily view my source code. So obviously I can't just stick my keys in there. Even if they are encrypted, my app would have to include the mechanism for decrypting them to make any use of them. I'm looking to hide my private web service API keys (mainly OAuth Twitter, Facebook, Google, etc.) and maybe my AWS private keys.
So far the answers I found have stated that you can't secure anything like a private API key in Javascript. But all of those discussions have been dealing with web applications which have easy alternatives to using Javascript. webOS apps don't really have a pretty alternative to coding simple apps in Javascript.
The only path I see possible is to create a proxy that all of my API calls would pass through. Is that the only feasible or ideal option? If it is, would node.js do the trick for me here?
Any leads, resources, examples, tips, etc. would be greatly appreciated. I feel like the answer should be starring me in the face since so many apps connect to these services nowadays, but I have had no leads. Thanks.
No application of any kind that has client-side private keys like this (other than one that is entirely server-wide) is safe from prying eyes. This is true of a compiled C++ app for Windows too. If the application is going to use the private keys directly, then they're in the code or available to the code. Prying eyes can find them. Yes, Javascript might make the code a little more accessible, but this not a problem that's new to webOS or Javascript apps. If Enyo was a PC/Mac cross platform tool, wouldn't you have the same issue with your Twitter keys?
Usually, what is done is the keys are put in some sort of storage mechanism at install time. On a PC, that might be the registry or some config file. Does webOS have an install mechanism? It looks like they have HTML5-type storage - can you store them in there at install time. They won't be hack-proof (nor would they be on any other platform), but they also won't be lying in your Javascript code either.
The other solution to this is to require your developers to get their own keys to public services like Twitter rather than everyone using your own. That keeps you from risking your whole platform when there's one bad customer.
If I've misunderstood your situation, feel free to clarify and help me understand better.
My feeling is that having a proxy is a great idea. The proxy gives you additional benefits of adding user authentication and other functionality without changing the client side.
Take a look at the Key Manager service, which you can use to store your keys without having to code them into your JS files.
Related
I'm currently working on a new google polymer web application and wondered if I should use firebase as the backend/db. I took a look at the project, made some test applications and really liked it! But to fully convince me, that firebase is the way to go I need the following questions answered:
I'm a little bit concerned about security: So, I know, that firebase uses read, write and validate to implement server side security. From the samples, I noticed that the validation basically is a one-line JS script, that represents a 'if'. As I'm planning to build a web e-commerce application I need to validate quite some inputs. Is there a possibility, to outsource the validation in a separate file, to make it more readable? Also I wondered, if there is a possibility, to test these server side validations, with for example unit tests?
I'm not 100% sure at the moment, that firebase can cover all of our use cases. Would it be possible/a good solution to use a "normal" backend for some critical functions and then persist the data from the backend in firebase?
I saw some nice polymer elements for firebase. Is firebase 100% supported in polymer/web components?
Is there an other way (like Java approach) to implement server business logic?
Is there a way, to define update scripts, so that new releases can easily be pushed to production?
Thanks & kind regards
Marc
So, I asked the firebase supprt and got the following answer:
Great to meet you.
I'm a little bit concerned about security: So, I know, that firebase uses read, write and validate to implement server side security. From the samples, I noticed that the validation basically is a one-line JS script, that represents a 'if'. As I'm planning to build a web e-commerce application I need to validate quite some inputs. Is there a possibility, to outsource the validation in a separate file, to make it more readable? Also I wondered, if there is a possibility, to test these server side validations, with for example unit tests?
You can implement extremely complex and effective rules using our security rules language. You can deploy security rules as part of your hosting deploy process, or via the REST API. It's not possible to break the contents into multiple files on the server, but you could certainly build your own process for merging multiple files into a single JSON result.
I'm not 100% sure at the moment, that firebase can cover all of our use cases. Would it be possible/a good solution to use a "normal" backend for some critical functions and then persist the data from the backend in firebase?
Generally speaking, synchronizing Firebase and a SQL back end is not very practical and they don't translate well. It's probably entirely redundant as well.
I saw some nice polymer elements for firebase. Is firebase 100% supported in polymer/web components?
I don't know what 100% supported means in this context. We offer a JavaScript SDK so they should play fine together.
Is there an other way (like Java approach) to implement server business logic?
We offer official SDKs in Java, Objective-C/Swift, Android, Node.js, JavaScript, and a REST API for use with other languages.
Is there a way, to define update scripts, so that new releases can easily be pushed to production?
I'm not sure what this means. Most likely the answer is no, since we don't provide a build process or any tools to release your software.
I hope that helps!
I responded:
Thank you for the information, it helped me very much! After reading your response on question number 5 one further question popped into my mind:
…
5. Is there a way, to define update scripts, so that new releases can easily be pushed to production?
I'm not sure what this means. Most likely the answer is no, since we don't provide a build process or any tools to release your software.
Is there like a best practice on how to handle the database schema? I only have one web application (without apps, etc.) in my case... I expect, that the database will change drastically over time and releases. Should I write JS logic, that checks the current database version and update it, if it's necessary? Maybe this would make a nice feature...
For example: I deployed Version 1.0 of my application and everything works fine. After 3 months of programming I notice, that the user data needs a further attribute: address, which is a 'not null' attribute. I now deploy Version 2.0 of my application and every new registered user has a address, but the old users (from Version 1.0) do not have this field or a value.
How should I handle this?
Support responded:
Hi Marc,
There’s no best practice here, but your ideas seem fairly sound. You probably don’t need to check in your JavaScript. You can probably store a version number in the user’s profiles, and when they upgrade to the latest software, you can upgrade that in their profile data.
Then your validation rules could use something like the following:
{
"user": {
".write": "newData.hasChild('address') || newData.child('appVersion') < 4",
"address": {
".validate": "newData.isString() && newData.val().length < 1000"
}
}
}
So if you are concerned about versioning, this could be used to deal with legacy releases.
Another popular approach I’ve seen from devs is to do intermediate upgrades by duplicating data. Thus, you release an intermediate version that writes to the old path and to the new path with the updated data structure (which keeps the app working for old users till they upgrade). Once a reasonable percent of clients are upgraded, then release a final version that no longer does a dual write to the old structure and newer structure.
Of course, flattening data, while it makes joining and fetching data bit more of a pain, will make upgrades much easier as the modular data structure adapts more easily to changes. And, naturally, a pragmatic design where you wrap the various records in a class (e.g. the UserProfile class with getter/setter methods) makes transitions simpler as you can easily hack in versioning at one place.
Hope this helps someone :)
I am looking to extend a web application using the new real time API in order to support collaboration (javascript). For that purpose I would also like to include a chat which will be available to users collaborating on same document. After extensive search I cannot find parts of the Drive API that can be used for this. Furthermore none of the open-source examples provided by google implement chat functionality.
Is there existing services/code that I can use to intergrade
chat into my application or I would need to implement it?
As mentioned before, the chat should be available to those collaborating on same document.
p.s I do not require any special features, just a simple chat as the one found in google docs etc.
Right now I don't know of any out-of-the-box solution to this problem. Some people have implemented chat in a realtime document by just placing the chat messages in the realtime data model.
This works fine so long as you don't also want to use undo/redo feature. If you are using undo/redo, then people would end up undoing the chat messages.
We are interested in adding some better support for this eventually, but no promises on anything in the short term.
You will need to build your own chat system, as Google just killed off XMPP support on the Chat API (which largely kills off the use of the API). The new Hangouts API does not provide access to Chat ( though some additional methods may come in handy: https://developers.google.com/+/hangouts/ for the dev API).
You are therefore left to your own devices. Fear not, however, writing a chat system is pretty easy. I am about to release a (mostly free) service to do so, so if you want to not have to write the code for it, I can keep you posted.
If, however, you'd prefer to build the code for it, you will most likely want to look into either socket.io or postal.js. both provide the same thing: a pub/sub model. From there, you will need to implement a choice of either:
Long polling: supported by all browsers but a bit clunky
Websockets: not supported by IE8 and below
This will serve as your data transfer.
Two other possible options are paid services: you can retrofit RabbitMQ to do what you want to do (this, however, will seem clunky). You can also retrofit the Meteord daemon, which does what you want natively, but has an outdated JS library.
The keyword of all this is pub/sub, though.
The scenario is:
I have a web API, which is being accessed by two clients:
Web App written in Javascript, which is minified
iOS App
SSL is all set up on the server hosting the API, and it works fine. There is no User Auth for the API because it's a sort of location-based searching app.
I want to ensure though that only the web app and the iPhone client are able to actually make requests to the API. For the iPhone client it's easy - a shared secret between the server and the app will do, and it's encrypted with SSL so we're not worried about people spying on it.
But for the web app the same solution won't work. I can't just leave a string in the code, and even if it's encrypted in there that's all somebody would need.
Basically, I'm looking for a good solution to this problem. I just want to make sure it's kept only to clients who are allowed to use it, but I'm not sure how I can without going and implementing OAuth which I think is probably overkill. Any ideas?
Thanks!
Dan
It can't be done. Even with oauth. Even assuming that your iOS app is secure, is wrong: it can be decompiled. Any code that runs on the client, can be tampered with, and can't be trusted to be who he says he is.
Only question is: is the API you provide valuable enough, and how much trouble would someone want to go through to hack it. And how hard do you want to make it for whomever wants to hack it.
The iOS version is indeed way safer than the javascript version. In the webapp you can obfuscate your code to make it harder to hack. You can (if you don't intend to use it on iOS) use java or flash to further hide your signing code (HMAC-sign your requests, don't just send a shared secret with them. You may think SSL is secure, but there is a moment before the url is encrypted....).
The way the "big guys" deal with this is:
Whatever you build, assume that someone will be able to hack it (as in: use your API for some other purpose than you intended).
Think about how bad this really is (note: they wouldn't be able to build a business on it; it would be WAY TOO vulnerable to lawsuits). Is it really the end of the world if a lone wolf uses your API.
If you do care about the lone wolves, make it as hard as possible (but honestly, isn't it cheaper just to loose some money from the lone wolves, than to spend 2 developer-months on it?)
If somehow there is serious interest in hacking into your API, try to come to an understanding with the hackers (e.g. I like the way how Spotify reacted to despotify. Basically they said "hey, if you don't release anything that makes it really easy to steal our music or circumvent our businessmodel, we won't try too hard to block you")
Has anyone an idea for the following scenario?
I have a RIA-Webapplication (realized in ExtJs). What I want to implement is the possibility to use local ressources like card readers or fingerprint readers or other serial devices and filesystem access.
I thought about implementing this with a local websocket service which has to be installed by our customer before using our RIA the first time. When the webapp is loading it should scan the local machine if a websocket service is available and connect to it.
After that, local events (like new card is beeing read or recognized new finger) should be passed to the browser via websocket connection.
Any ideas how to get started with such a solution?
I have made something like that. Besides the obvious things such as read/write/poll data from the card-readers and so on, you would have to either implement everything yourself or, use a library for technology you are going to employ for your web-server. So, if you use a LAMP solution, i think there are some web-socket libraries for PHP that you can use. However, if you do everything by yourself then you have to implement everything from hand-shaking, to creating data packets. I have done everything from scratch by using .NET and it provides a number of useful libraries such as hashing. Java also would be a good option and have those kind of libraries as well. In general if you doing everything by yourself i would say the trickiest thing would be to split the data you want to transmit among various data packet. It is not that hard to do things from scratch. The RFC (https://www.rfc-editor.org/rfc/rfc6455) helped me a lot. Hopefully, this helps.
So I'm working on some mobile application that will represent WordPress page.
Working it like web page, then spreading it to all mobile platforms using phonegap (mainly just taking webkit, moving all his functionalities, and putting that small webpage to applications)
Web is written in jQuery/JavaScript/html/css.
I come to some security problems. All data on original WordPress site is secret, and only members can see stuff from there.
And I need to get data in JSON format.
And there is my problem. :)
I can install (i did install) JSON api, and i can get every bit of data I want. But the problem is that anyone can (just type some "get" stuff in URL (for example: mysite.com/json/get_post/?id=1)).
I need to "secure" that data, and let it go only if the user who is asking for it is logged in.
What is the best solution?
I know there is a lot of security problems in this stuff. And only some encryption would be useful. But I need quick and easy solution that will at least make it harder than just typing url. :)
I found something about oAuth, but didn't really understand the way to use it. Any ideas? Any WordPress plugin? Anything?
Thank you. :)
What you are describing is an OWASP A4 - Insecure Direct Object Refernce vulnerability. Encryption does not solve this problem and is by no means the right tool. The problem is use access control. The user needs to login to the wordpress install in order to gain this type of information. Wordpress has a session system built in and you'll have to read up on their API documentation.