[Q] Mobile page - where to keep private data on device? - General Questions and Answers

Hi,
I'm developing mobile website and I have one problem with security some of data.
First time the user browse my site, the page requests a server to get some private user's data (i.e. RSA private key) which is used in future operations. This private key must be stored somewhere in local device memory (as a file on device, browser cache...).
Next time when the same user launches the page (some functionality on page), the page has to load the file from local data when needed and use it (i.e. encrypt some string with private key).
The problem is where to store this key and how to read it?
First, I thought about cookies. But the cookie will be sent with all requests, so doing it with private key IMHO is not a good idea.
The connection of course will be via SSL, but even that I don't want to send private key to server (it has to be as secure as possible!).
So, how to solve to problem...?
I can add, it's not necessary to get the private key from server. It can be load as a file to device via its file manager or something like that. Simply - the browser has to read the private key when it will be needed and use it. I don't think that browser allows to save/read file from JavaScript, am I right?
Solution of the problem must work on most of available devices and browser nowadays (especially iPhone, Android, Symbian + Opera Mobile(/Mini?).
Maybe HTML5 and its 'localStorage' could solve it but I have to assume, I CAN'T use HMTL5 with all its features.
I consider using jQueryMobile framework.
Please, help! Thanks in advance!!
Buffalo

Related

[Q] Remote Administration of Multiple Android Handsets

My situation:
In my company we have about 30+ handsets currently running Android (standard and custom ROMs from XDA). The handsets include HTC Desire HD, HD2, Desire S and Desire Z. The users cannot be trusted not to brick the phones if they are allowed to download apps and modify them in anyway (not to mention they are business phones so shouldn't have facebook etc on them any way).
I've heard about admin tools which allow control of handsets remotely.
Requirements:
So, if possible, what i would like does something along the lines of...:
1: Blocks further apps from being added to the handset without a password
2: A lock to keep as many of the settings as is originally provided (wallpaper etc)
3: A master admin tool which i can remotely manage all the handsets from (download requested and approved apps, wipe, lock, locate and reset the phones if lost...etc)
What i have done before to stop the users adding further apps is register my email address to Android Market on all the phones, then changed the password using my desktop). While this stops new apps from being downloaded from the market, it does mean i cannot remotely roll out approved apps as they are no longer signed in to the account.
Is there anything out there which does any/all/some of the above?
Is there one tool which can manage all these tasks? Or will it have to be seperate apps like Norton Mobile Security (such as) etc?
Can anyone get their heads around this?
Thanks!
The market lets you download apps to a phone.
Lookout Security does all of the security tasks you want.
Thanks, that would take care of the remote wiping, locating and locking.
Does Android provide any corporate setup for administration of lots of handsets? Surely this is a niche in the market for some devs to jump on if there isn't something like that already.
And i know Android Market allows you to remotely download apps to multiple phones but i want to make it impossible to download through the phone itself. (so i can add apps but the user can't)
Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)
Sonic_Sonar said:
Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)
Click to expand...
Click to collapse
Hello,
Have you found any apps that fit your needs? Do you use them? If no, is your organization still interesting in mobile device management service?
I'm asking because I'm working for http://bloove.com (personal phone management service) and we're going to expand our offer to small and medium companies.
This new service will combine existing contact, sms, phone log and bookmark backup for personal phone with MDM features like centralized app management, location and wipe service etc.
We're looking for early adopters who will have a chance to add their custom requirements to the service and get this service for free for up to six months.
Please let me know if you're interested and want to discuss this further.
Thank you,
Rostislav
[email protected]
Please use the Q&A Forum for questions Thanks
Moving to Q&A
I did something like this ...
I first installed openssh server, plus a script that checks a specific URL for remote access needs (had to do it that way since my carrier blocks connections on all ports).
The server side is a simple php script that you call like this: check.php?deviceid=[ID]. The script checks a DB to see if there is anything new for that device ID and acts accordingly. I implemented three features: Tunnel, Script, Install APK. So, If I want to install an APK to all devices, I just upload it on our webserver, and on the MySQL DB I add devices id = all, action=install, file=/apks/whatever.apk. If, for instance, I want to do something more complex on certain devices, I add: id = all, action=script, file=/apks/whatever.sh. I write the script, then all phones check for updates on this check.php every 5 minutes, if they find a script, they'll download and execute. If it's an APK, they'll download and install. If I insert a line with deviceID=[deviceid], action=tunnel, file=[PORT NUMBER], then the phone will SSH into a remote server and do a reverse port forward, on [PORT NUMBER]. Then I can just SSH into localhost:[PORTNUMBER] on the server, and I'll have a terminal inside the phone to do whatever I need.
This doesn't address the restrictions issue, but it does allow you to control the phones however you want.
Regards,
Almafuerte.

[app] Phoenix Mysql Client V2.0

hello all,
recently 2 - 3 days ago, i have re-developed the application
and uploaded the update on the market.
basically its a Mysql Client,
DIRECTLY, allows you to connect to a Mysql server, and perform sql quires, insert, delete, select,... and list the tables,views and sprocs.
with the great result viewer (grid) you can view results in stylish way.
Change log
** Enhanced securing the stored connection info (better encryption)
** Data can't be decrypted except on the very same device.
** Added new permission (get phone state and identity) needed for the point above!
1- Save old connections with better management (no duplications now, long press to delete).
2- Enhanced the resultset viewer USER CAN DELETE ROW NOW! (delete button added).
3- Better exceptions handling (i hope).
4- Better connection handling and stability (i hope).
5- Better Screen design for execute SQL.
6- Added loading (progress-bar) to almost every remote-action.
7- Removed Ads.
i will be glad to get feedback or bug reports her
Market:
https://market.android.com/details?id=com.yazan.msc&feature=search_result
thanks
nobody like it !!?
Niice, thanks op, am actually taking a MySQL course in the school and this'll allow me to mess with MySQL on the go.
Sent from my MB855 using XDA App
Would really like to use it, but...
stinger1 said:
hello all,
recently 2 - 3 days ago, i have re-developed the application
and uploaded the update on the market.
basically its a Mysql Client,
...
i will be glad to get feedback or bug reports her
thanks
Click to expand...
Click to collapse
HI
When I enter the details for a connection and then try to "connect" a popup saying "Please wait..... Connecting..." is displayed forever. I´m quite sure that the connect information is correct because I receive an error message otherwise. Problems are:
1. I cannot connect to my mySQL server.
2. I cannot cancel the connect or even the app. I have to got to the apps overview and "kill" the app.
I´m using a Motorola Xoom (Wifi only, MZ604) with Android 3.2 and the mySQL server is on a virtual server (vServer) located at some remote site.
Would be great if that could be fixed some day...
Greetings from Germany.
emmi59 said:
HI
When I enter the details for a connection and then try to "connect" a popup saying "Please wait..... Connecting..." is displayed forever. I´m quite sure that the connect information is correct because I receive an error message otherwise. Problems are:
1. I cannot connect to my mySQL server.
2. I cannot cancel the connect or even the app. I have to got to the apps overview and "kill" the app.
I´m using a Motorola Xoom (Wifi only, MZ604) with Android 3.2 and the mySQL server is on a virtual server (vServer) located at some remote site.
Would be great if that could be fixed some day...
Greetings from Germany.
Click to expand...
Click to collapse
hello,
the connection dialog has a timeout 30 seconds, so if you wait 30 seconds it will stop trying to connect,
but i think i have to make that dialog "cancelable" so you can hit back and cancel connection (good to keep that option to.).
on the other hand .. make sure you have enabled remote connect to your mysql server, and add/allow the IP you are trying to connect from, so the mysql server allow it.
thank you.
Ok, but...
stinger1 said:
hello,
the connection dialog has a timeout 30 seconds, so if you wait 30 seconds it will stop trying to connect,
but i think i have to make that dialog "cancelable" so you can hit back and cancel connection (good to keep that option to.).
on the other hand .. make sure you have enabled remote connect to your mysql server, and add/allow the IP you are trying to connect from, so the mysql server allow it.
thank you.
Click to expand...
Click to collapse
Thanx for the quick response. Here are my answers to your points:
1. I have been waiting VERY much longer than 30 seconds (several minutes), but the connection dialog never stopped.
2. I have allowed connections to my mySQL server from ALL hosts (%), so there is no need to allow access on an IP address basis. The IP address is unknown anyway when I´m using a mobile device, or is it? Anyway, it would be impracticable to add the dynamically provided IP address to the mySQL server configuration every time - especially when you have no access to the mySQL server since the client cannot connect...
(I have tried another mySQL client for Android, but this thing crashes everytime it tries to connect to the mySQL server...)
Tell me if I can be of any help in the investigation of this connection problem. I´d really like to use your app to manage my server with my tablet.
Regards
Emmi
emmi59 said:
Thanx for the quick response. Here are my answers to your points:
1. I have been waiting VERY much longer than 30 seconds (several minutes), but the connection dialog never stopped.
2. I have allowed connections to my mySQL server from ALL hosts (%), so there is no need to allow access on an IP address basis. The IP address is unknown anyway when I´m using a mobile device, or is it? Anyway, it would be impracticable to add the dynamically provided IP address to the mySQL server configuration every time - especially when you have no access to the mySQL server since the client cannot connect...
(I have tried another mySQL client for Android, but this thing crashes everytime it tries to connect to the mySQL server...)
Tell me if I can be of any help in the investigation of this connection problem. I´d really like to use your app to manage my server with my tablet.
Regards
Emmi
Click to expand...
Click to collapse
yes using % will allow all,
but its not secure.. anyway in a case of dynamic IP it can be used.
-side note- you can find your current real IP if you visit http://www.whatismyip.com/
from your mobile browser.
*** regarding the application:
- are you capable to login using a desktop client, like Navicat or MysqlTools?
- if you can get a logcat from your device while trying to connect that would be great, i think it will be useful,
-one more thing is if u can try it from a mobile not a tablet, since supporting tablets was added recently and i could not test it ( no tablets around ).
** one last thing:
if all that did not work, you may create a user with very simple privileges,
and pass me (private message) the login info (ip, username, password), and i will try to connect with the app using my hTC Desire.
Thanks & best regards.
I can login and access the server using Navicat.
Do you know an app to get a logcat?
Unfortunately I have no Android phone available.
I´ll send you login info via pm.
I´ve found the follwoing errors in logcat (using catlog ;-)):
01-16 22:18:46.530 E/dalvikvm(4300): Could not find class 'javax.naming.StringRefAddr', referenced from method com.mysql.jdbc.ConnectionPropertiesImpl$ConnectionProperty.storeTo
01-16 22:18:46.530 W/dalvikvm(4300): VFY: unable to resolve new-instance 525 (Ljavax/naming/StringRefAddr in Lcom/mysql/jdbc/ConnectionPropertiesImpl$ConnectionProperty;
May be you can take this as a start...
emmi59 said:
I´ve found the follwoing errors in logcat (using catlog ;-)):
01-16 22:18:46.530 E/dalvikvm(4300): Could not find class 'javax.naming.StringRefAddr', referenced from method com.mysql.jdbc.ConnectionPropertiesImpl$ConnectionProperty.storeTo
01-16 22:18:46.530 W/dalvikvm(4300): VFY: unable to resolve new-instance 525 (Ljavax/naming/StringRefAddr in Lcom/mysql/jdbc/ConnectionPropertiesImpl$ConnectionProperty;
May be you can take this as a start...
Click to expand...
Click to collapse
i've tried and i confirm the application waas not able to connect to ur server.
also i found that error log, when i try to connect only to ur server..
i think its related to host name converted to an IP address reference ...
it looks to be a bug in the driver i am using (i've googled it)
i am working on a fix or workaround for now ...
thanks again.
how is it done...
hi stinger1..
i recently starting using your pheonix my sql client ...
my question is how does your app connect to the mysql server...
is there a middleware web service that connects to the database or
does the app directly connect to the database...if yes..how ?...
i mean using what....
how did you use the jdbc drivers...

How to Access/Control PC from Android free and Without a Static IP!!!

The following is a 3-step process for gaining remote access to your PC Via your Android phone's data connection for FREE and without a static IP.
IT USES YOUR DATA PLAN SO MAKE SURE YOUR HAVE UNLIMITED DATA PLAN OR YOU'LL BE SAD!!!
It allows you to control and view your PC by accessing Windows Remote Desktop using Pocket Cloud on your Android. I used this method on my T-mobile Samsung Vibrant and am now using it on my HTC Amaze. Currently, I have only tested this using Windows XP. I HAVE NOT TRIED IT ON WINDOWS 7. Someone smarter than I can tweak the process for Windows 7 and MAC OS. Please feel free.
I put this little solution together from some forums I found scattered all over the internet. When I needed it, I couldn’t find the complete solution in one place so; I consolidated it for you here. The VB script in particular is not my original work and I can't remember where I got it for the life of me so; my apologies to the author for not properly citing it here. PLEASE NOTE THAT I AM ONLY POSTING THE METHOD I USED. USE IT AT YOUR OWN RISK!
Now…down to business!!!!!
Here is how it works:
Your PC automatically accesses a website to gather your WAN IP information and sends an "email-to-text message" to your Android on a schedule of your choice. This ensures that you always have access to your current WAN IP address. This is important; DSL providers change your WAN IP address as much as 10 times/day where cable internet providers only do it about once/month.
You then use this information to configure Pocket Cloud (available for free on the Android Market) to connect to your home router/PC. Using the current WAN IP as the "host address" in Pocket Cloud, you can connect, control, and view your PC remotely over your Android's data connection.
Requirements:
In order for connection to work, the following must be done before you start the steps. Don't worry, these are all easy.
· Your PC must be powered on with an internet connection (obviously)
· Windows XP must have a windows logon password set (assuming you are not on a home network with an actual server).
NOTE
If you have a modem connected directly with no router, you are all set. Skip the next bullet.​
· Your router must be set to forward "remote desktop" activity (port 3389) to the PC to which you'd like to connect; make sure the router doesn't block the remote desktop application (see your router manual).
· Make sure your internet security software (see your software manual) and Windows XP ("my computer" properties under the "remote" tab) allows remote access to your PC.
STEP 1. Tweak the RED ITALIC TEXT ONLY of the VB Script (attached at the bottom) in by creating a new "note pad" file; pasting it in to "Note Pad"; and saving the file as "EmailIP.vbs".
NOTE
You can test your script by double clicking the .vbs file you just created. If you then get a text message with your IP address in it, you are good to go. The text message should only take a few minutes to arrive.​
STEP 2. Schedule the script to run at any interval you'd like by browsing to it from within Windows Task Scheduler. This is under Start>All Programs>Accessories>System Tools>Scheduled Tasks. If you need help with task scheduler, Google it.
NOTE
The task should be scheduled more frequently for those using a DSL home internet provider. I set mine for every 2 hours as I use DSL at home. Cable internet can be scheduled to run much less often.​
STEP 3. Install and configure Pocket Cloud RDP free from Android Market. using IP just texted to your Android and your Windows Logon information. ​
· Create a new connection in pocket cloud.
· Enter a nick name of your choice into the "Nick Name" field.
· Enter the WAN IP which was just texted to your phone into the "Host Address" field.
· Enter your windows logon user name and password into the "User Name" and "Password" fields.
· Leave everything else alone!
· Scroll to the bottom and hit "Save."
· Tap the connection and you should be connected to your PC with in seconds.
Cheers!
I use MyPhoneExplorer, very easy and noob-proof
i use teamviewer for this...
teamviewer does not require u to have static WAN ip...
the only thing u need is teamviewer account which is free...
I have create a vpn and get the static ip from no-ip.org
.
Thread moved. Would advise you to read forum rules and post in correct section.
enox2604 said:
I have create a vpn and get the static ip from no-ip.org
Click to expand...
Click to collapse
Good choice, however, no-ip and teamviewer both require that a 3rd party have certain terminal info or it pings the server periodically. This solution keeps third arties out of the equation with the exception of a collecting your own IP from an outside URL. Again, somone much smarter than I would be able to write a script that collects your WAN from the CMD prompt or something native to OS rather than a URL. If you know how, Please do and post it here.
orb3000 said:
Thread moved. Would advise you to read forum rules and post in correct section.
Click to expand...
Click to collapse
My Apologies. I did read them and didn't see a good fit anywhere as this is neither an App nor a game. It will take me some time to figure out where threads should be posted. Thanks for your patience.

Framework discussion

Hi all,
As part of a class I'm doing, we are required to post some content to a forum to engage in discussion on security:
.
Cross Site Scripting (XSS)
OWAPS describes Cross Site Scripting (XSS) where a website has been marked as a trusted website, which for some reason, can run malicious code or scripts through inputs such as forms. As the end user’s browser sees this site as trusted, it allows the malicious script or code to execute, which can give access to client side information before it is encrypted (such as usernames, passwords, session IDs, cookies, etc).
In PHP for example, a normal input box where a user would enter their name, would be able to enter the following:
When PHP prints this back out after submission, it will execute the script between the script tags (In this case, just a simple popup).
In this scenario, this can be solved by wrapping the input value with htmlentities:
This would print any script as literal text rather then executing it.
In Java,
XSS is still a major issue, both due to some sites not implementing simple work around such as htmlentities or htmlspecialchars, or for reasons where these cant be used. XSS affects PHP applications by as much as 86% - its PHPs biggest vulnerability.
In Java, the easiest method is to simply validate inputs and to encode special characters (<>[email protected]#$%^&*). Alternativley, OWASP have a XSS class which includes easy methods to best prevent against certain types of XSS.
Code Injection
Code injection is where using the sites scripting language, you can inject (rather, have the site pull) code from somewhere else.
For example, php can call one of its own pages like so:
however, if we replace the contact.php page with an external hosted script:
This will cause the enduser to execute that script. This all comes down to PHP validation which is coded within the PHP to ensure only valid respsonses are accepted.
This is unlike command injection. Command Injection is an attack which is designed to execute commands on the PHP hosted system (server). This can be done where most parameters are passed (headers, input boxes, etc) and will typically display any output on the returned webpage.
For example, to return a password for a certain user, you could use a command like:
Typically, to prevent such commands from executing, a whitelist of command can be made, whereby only those listed are allowed to be executed on the server. Alternativly, it is recommend where the application needs to invoke system side commands, to do this through local python scripts, rather then PHP calling the commands.
CRLF injection
CRLF injection comes from the elements CR (Carriage Return) and LF (Line Feed) – together (CRLF) this denotes a new line (done simply by pressing the enter button). If a website for example, allows you to upload a file, an attacker may name this file as follows:
This would result in a system command being carried out to delete everything in the /bin folder.
It also allows an attacker to write to the log file, by creating it own new line. If the logs are configured in such a way that they will email out any WARNINGS or ERRORS, an attacker may add these to a new log line repetitively, backing up the email and bandwidth.
The simple way around this is for JAVA to sanitise any input strings, either through substituting known commands, or through methods such as
SQL Injection
.NET SQL Injection allows an authorised SQL command to be sent to the SQL server and executed.
An SQL string may be built using inputs from a form. A possible example of this is:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail';
where the red is the text from an input field.
However, we can modify this string which can allow some malicious stuff to happen:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail'; DROP DATABASE members --';
Adding the red text to the email input box, would allow us to delete the whole table, or alternatively insert a new record into a table, or possible delete records, modify records (change passwords), or even delete whole tables.
To prevent this, you can limit the damage an SQL injection can do you using proper database permissions (deleting records, tables, etc), and to also use good sanitisation – look for -- or ; in any field and invalidate the data if it has these characters.
Directory Traversal
Directory traversal can also be referred to as a “dot dot slash” attack.
In php, a resource (page) can be called as follows:
However, it may be possible to get other files, not even part of the web directory using the following examples:
The easiest way to prevent this is to assign proper permission on the server itself. However, many web developers do not own the server, therefore, another layer of protection is fully qualify the file path, with the root being where the webpage sits.
Connection String Injection
Also known as connection string pollution, it is possible for an attacker to inject parameters into a connection string to a database. Typically a connection string is built by delimiting each value with a comma. In an injection attack, strings can be built using semi colons as a delimiter.
A typical connection string to a windows SQL server may look like the following:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+;
However, if an attacker places a rouge windows SQL server on the internet, and then uses a connection string like follows:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true;
This allows the target windows SQL server to connect to the rouge server using its own Windows credentials, exposing much data.
Backdoors
Backdoors can be common within applications and web applications and can occur across many types of frameworks, however, it’s the security around the knowledge of backdoors, and what they allow, which can be of concern. All modems, routers and some managed network infrastructure have administrator usernames and passwords. However, sometimes, the network vendor (CISCO, NETGEAR, etc) or ISP may choose to put a backdoor access onto these devices. This may be in case a user forgets their administrator credentials, for automatic firmware updates, or for remote troubleshooting. Some of these backdoors may allow for more settings then what is normally shown to an end user.
For example, some older Optus supplied modems had the hidden user: Admin, and a password of: Y3S0ptus. This was standard across thousands of supplied modems. The problem was, the end user had no way of changing the default setting for remote web access from Enabled to Disabled, which meant anyone that knew of their IP address or domain name, could now remote access their modem router, add port redirects, and now connect to devices within their LAN.
In the case of ISP provided modems, it might be safer to simply by something else, not supplied by the ISP.

Can I create ICANN internet domains in Ubuntu or Windows?

Hello World! : D.
Can I create Internet domains in Ubuntu or Windows ?, or can they only be purchased for free or by paying a domain registrar ?.
That any external user can access through the browser's search bar without modifying the hosts file, without previous steps for the one who is going to visit my URL ?
Apache created me a domain that can only be accessed by configuring the hosts on the second PC. And as I read from Bind9 you need the same configuration. With the IP I have been able to access from any external IP by typing it in the search bar and it shows me the perfect Apache page página without configuring anything on the client.
Now, I would like the same but without the IP, and without paying a domain, and without free domains (No-ip ...), and without matching the two machines. It would only be to create my own internet domain on my PC and that anyone can access without doing more than typing the URL in the browser.
I have Ubuntu 18.04 TLS. If possible, however you can tell me, I will go there to look. ?
Thanks for your attention. ?

Categories

Resources