Database Info

[Q] What Android database apps exist?

I currently use a WinMo phone but might move over to Android. I have several large databases (1200+ records) so I use Handbase. I was wondering what database apps exist for Android. From what I'm told the iPhone version of Handbase is rubbish, is the Android version any good?
I've had a quick google search and didn't find anything and it looks like I can only search Android market via an Android phone which I don't own yet.
What I need from a database is to be able to import my existing databases (probably as a .cvs file) then easily filter the records. The simplest and best database program I've ever used was on my Psion 5, handbase (winMo) is a close second. Other than Handbase are there any other decent database apps out there and is Android Handbase any good?

I don't know of a good database app, but you can browse the market with Cyrket:
http://www.cyrket.com/search?q=database&market=android&sort=
There you also see HanDBase and others

Or search with Appbrain's website.. http://www.appbrain.com/

That was quick, I'm at work and a bit busy to have a proper look at the links, I'll look later.
Thanks for the quick replies.

Just to be clear, are you looking for an app that can read your current database files? Or just any database application (do you have any requirements E.G. GUI, Sql console, RDBMS transactionality?) For example, are you looking for "A database" in the same way that MS Access is "a database" (Hint: it isn't it's just a GUI) or "a database" in the way MySQL is.
Android has binaries for SQLite built in and searching for sqlite in appbrain should give you a number of front-ends for that.

Bouncypete said:
What I need from a database is to be able to import my existing databases (probably as a .cvs file) then easily filter the records.
Click to expand...
Click to collapse
I'm developing this kind of application, but i'v just started on it
Here it is
SQLator beta 0.1
Hope that give me more feedbacks
HouWWari.

connecting to oracle or ODBC drivers

Hi developers, was just wondering if anybody could have used say a note2 to connect to oracle database and run a couple of queries. Is this possible or has it been under looked. Thanks

never use it like that ,i am sorry

New Oracle Database Utility,TyphoonDBMS 1.0 Beta (Free) for You
danrweki said:
Hi developers, was just wondering if anybody could have used say a note2 to connect to oracle database and run a couple of queries. Is this possible or has it been under looked. Thanks
Click to expand...
Click to collapse
TyphoonDBMS is a complex and efficient Java-based software (free) solution that enables user to easily access and manage tables on Oracle Database Servers.
Typhoon is a comprehensive and reliable application that was developed to assist user in managing the contents of Oracle databases, enabling user to add, edit or remove tables without needing to resort to SQL statements to get the job done.
To gain access to the utility, user first need to create an account using a preferred set of credentials, which will then be required to enter every time user wish to work with Typhoon.
The program allows user to connect to a local or cloud server, by providing the necessary information, including name, version, driver and service ID. user can also input the network details, specifically the host and port number, along with the username and password, or even the database URL. Prior to saving the configuration, user can test the connection to make sure everything is in order.
Once user connect to the Oracle database, Typhoon allows user to view its contents, namely the tables that it comprises. user can browse through them, select a record and update it. Similarly, user can add a new one, as the tool enables user to ‘Insert Number Data’, ‘Insert Blob Data’, ‘Insert Clob Data’, ‘Insert String Data’ or ‘Insert Date Data’.
Moreover, user can create a new table by defining the number of columns that user need, assigning it a name, then filling out the columns and rows with the information user wish it to store. All of this can be done without having to resort to SQL statements or commands. Other options include the ability to drop tables from the database.
This Java-based utility also offers user a series of SQL ‘Syntax References’, (statements and functions) and which user can analyze in detail, to learn how to better work with them, and then use them for your own purposes.
Download & Blog:
typhoondbms.wordpress.com/download/
download.cnet.com/Typhoon-DBMS/3000-10254_4-76273374.html
softpedia.com/get/Internet/Servers/Database-Utils/Typhoon.shtml

Trident Encoder : Encryption for Windows RT

I implemented a browser based encryption solution which runs on Windows RT (and many other Windows computers). All I wrote was the HTML page, I am leveraging Crypto.JS javascript library for encryption algorithm. I am using the HTML 5 File API implementation which Microsoft provides for reading and writing files.
I make no claim on this but seems to work good for me. Feel free to feedback if you have any suggestions. The crypto.js library supports many different algorithms and configuration so feel free to modify it to your own purposes.
You can download the zip file to your surface, extract it and load the TridentEncode.htm file into Internet Explorer.
If you want to save to custom directory you probably need to load it from the Desktop IE instead of metro IE (to get the file save dialog). I usually drag and drop the file onto desktop IE and from there I can make favorite. This should work in all IE 11 and probably IE 10 browsers... if you use other browsers you may need to copy paste into the fields since the File API implementation seems rather browser specific. Running the html page from the local filesystem means that there is no man-in-the-middle which helps eliminate some of the vulnerabilities of using a javascript crypto implementation. You could also copy the attached zip file to your skydrive to decrypt your files from other computers.
Skydrive files in theory are secure (unless they are shared to public) so this might be useful for adding another layer of protection to certain info.
Again, use at your own risk, but feel free to play around and test it, and offer any suggestions or critiques of its soundness, or just use it as a template for your own apps.

Ok... this is really cool! Nice idea, and a good first implementation.
With that said, I have a few comments (from a security perspective). As an aside, minimized JS is the devil and should be annihilated with extreme prejudice (where not actually being used in a bandwidth-sensitive context). Reviewing this thing took way too long...
1) Your random number generation is extremely weak. Math.random() in JS (or any other language I'm aware of, for that matter) is not suitable for use in cryptographic operations. I recommend reading http://stackoverflow.com/questions/4083204/secure-random-numbers-in-javascript for suggestions. The answer by user ZeroG (bottom one, with three votes, as of this writing) gets my recommendation. Unfortunately, the only really good options require IE11 (or a recent, non-IE browser) so RT8.0 users are SOL.
NOTE: For the particular case in question here (where the only place I can see that random numbers are needed is the salt for the key derivation), a weak PRNG is not a critical failing so long as the attacker does not know, before the attack, what time the function is called at. If they do know, they can pre-compute the likely keys and possibly succeed in a dictionary attack faster than if they were able to generate every key only after accessing the encrypted file.
2) Similarly, I really recommend not using a third-party crypto lib, if possible; window.crypto (or window.msCrypto, for IE11) will provide operations that are both faster and *much* better reviewed. In theory, using a JS library means anybody who wants to can review the code; in practice, the vast majority of people are unqualified to either write or review crypto implementations, and it's very easy for weaknesses to creep in through subtle errors.
3) The default key derivation function (as used for CryptoJS.AES.encrypt({string}, {string})) is a single iteration of MD5 with a 64-bit salt. This is very fast, but that is actually a downside here; an attacker can extremely quickly derive different keys to attempt a dictionary attack (a type of brute-force attack where commonly used passwords are attempted; in practice, people choose fairly predictable passwords so such attacks often succeed quickly). Dictionary attacks can be made vastly more difficult if the key derivation process is made more computationally expensive. While this may not matter so much for large files (where the time to perform the decryption will dominate the total time required for the attack), it could matter very much for small ones. The typical approach here is to use a function such as PBKDF2 (Password-Based Key Derivation Function) with a large number of iterations (in native code, values of 20000-50000 are not uncommon; tune this value to avoid an undesirably long delay) although other "slow" KDFs exist.
4) There's no mechanism in place to determine whether or not the file was tampered with. It is often possible to modify encrypted data, without knowing the exact contents, in such a way that the data decrypts "successfully" but to the wrong output. In some cases, an attacker can even control enough of the output to achieve some goal, such as compromising a program that parses the file. While the use of PKCS7 padding usually makes naïve tampering detectable (because the padding bytes will be incorrect), it is not a safe guarantee. For example, a message of 7 bytes (or 15 or 23 or 31 or any other multiple of 8 + 7) will have only 1 byte of padding; thus there is about a 0.4% (1 / 256) chance that even a random change to the ciphertext will produce a valid padding. To combat this, use an HMAC (Hash-based Message Authentication Code) and verify it before attempting decryption. Without knowing the key, the attacker will be unable to correct the HMAC after modifying the ciphertext. See http://en.wikipedia.org/wiki/HMAC
5) The same problem as 4, but from a different angle: there's no way to be sure that the correct key was entered. In the case of an incorrect key, the plaintext will almost certainly be wrong... but it is possible that the padding byte(s) will be correct anyhow. With a binary file, it may not be possible to distinguish a correct decryption from an incorrect one. The solution (an HMAC) is the same, as the odds of an HMAC collision (especially if a good hash function is used) are infinitesimal.
6) Passwords are relatively weak and often easily guessed. Keyfiles (binary keys generated from cryptographically strong random number generators and stored in a file - possibly on a flashdrive - rather than in your head) are more secure, assuming you can generate them. It is even possible to encrypt the keyfile itself with a password, which is a form of two-factor authentication: to decrypt the data that an attacker wants to get at, they need the keyfile (a thing you have) and its password (a thing you know). Adding support for loading and using keyfiles, and possibly generating them too, would be a good feature.
The solutions to 3-5 will break backward compatibility, and will also break compatibility with the default parameters for openssl's "enc" operation. This is not a bad thing; backward compatibility can be maintained by either keeping the old version around or adding a decrypt-version selector, and openssl's defaults for many things are bad (it is possible, and wise, to override the defaults with more secure options). For forward compatibility, some version metadata could be prepended to the ciphertext (or appended to the file name, perhaps as an additional extension) to allow you to make changes in the future, and allow the encryption software to select the correct algorithms and parameters for a given file automatically.

Wow thanks GDTD that's great feedback
Not sure about his minified sources, the unminified aes.js in components is smaller than the minified version (which I am using) in rollups. I'll have to look into what his process for 'rollup' is to see if I can derive a functional set of non-minified script includes. If I can do that it would be easier to replace (what I would guess is) his reliance on Math.random.
His source here mirrors the unminified files in components folder : https://code.google.com/p/crypto-js/source/browse/tags/3.1.2/src
msCrypto that would be great, I had no idea that was in there. I found a few (Microsoft) samples so I will have to test them out and see if I can completely substitute that for crypto.js. Would be more keeping in line with the name I came up with.
Currently this version only works for text files, I am using the FileAPI method reader.readAsText(). I have been trying to devise a solution for binary files utilizing reader.readAsArrayBuffer but as yet I haven't been able to convert or pass this to crypto.js. I will need to experiment more with base64 or other interim buffer formats (which Crypto.js or msCrypto can work with) until I can get a better understanding of it.
Metadata is a great idea, maybe i can accommodate that with a hex encoded interim format.
You seem extremely knowledgeable in the area of encryption, hopefully i can refine the approach to address some of the issues you raised by setting up proper key, salt, and IV configuration... I'm sure I will understand more of your post as i progress (and after reading it about 20 times more as a reference).
Too bad we don't a web server for RT, that would at least open up localStorage for json serialization (mostly for other apps I had in mind). I guess they might not allow that in app store though. Could probably run one of a developers license though (renewed every 1-2 months)?

nazoraios said:
Too bad we don't a web server for RT, that would at least open up localStorage for json serialization (mostly for other apps I had in mind). I guess they might not allow that in app store though. Could probably run one of a developers license though (renewed every 1-2 months)?
Click to expand...
Click to collapse
I cant comment too much on the encryption, GoodDayToDie has covered anything I could contribute and more. But there is a functioning web server on RT. Apache 2.0 was ported: http://forum.xda-developers.com/showthread.php?t=2408106 I dont know if everything is working on it, I dont own an RT device and last time I tried I couldnt get apache to run on 64 bit windows 8 anyway (needed it at uni, spent hours going through troubleshooting guides and it never worked on my laptop, gave up and ran it under linux in virtualbox where it took 2 minutes to have functioning the way I needed it to).

Curious about the performance. Speaking of encryption, 7-Zip has it built-in, and from the discuss in StackExchange, it seems pretty good.

One of the neat things about this thing (local web app? Pseudo-HTA (HTml Application)? Not sure if there's a proper name for such things) is that it runs just fine even on non-jailbroken devices. That's a significant advantage, at least for now.
Running a web server should be easy enough. I wrote one for WP8 (which has a subset of the allowed APIs for WinRT) and while the app *I* use it in won't be allowed in the store, other developers have taken the HTTP server component (I open-sourced it) and packaged it in other apps which have been allowed just fine. With that said, there are of course already file crypto utilities in the store anyhow... but they're "Modern" apps so you might want to develop such a server anyhow so you can use it from a desktop web browser instead.
Web cryptography (window.crypto / window.msCrypto) is brand new; it's not even close to standardization yet. I'm actually kind of shocked MS implemented it already, even if they put it in a different name. It's pretty great, though; for a long time, things like secure random numbers have required plugins (Flash/Java/Silverlight/whatever). Still, bear in mind that (as it's still far from standardized), the API might change over time.

Yep, I think of them as Trident apps since trident is what Microsoft calls their IE rendering engine, but I guess they are sort of offline web apps (which come from null domain). Being from null domain you are not allowed to use localstorage which is domain specific. You also are not allowed to make ajax requests. You just have file api and json object serialization to make do with I/O.
Another app I am working on is a kind of Fiddler app similar to http://jsfiddle.net/ where you can sandbox some simple script programs.
Kind of turning an RT device into a modern/retro version of a commodore 64 or other on-device development environments. Instead of basic interpreter you've got your html markup and script.
I have an attached demo version which makes available jquery, jquery-ui, alertify javascript libraries in a sandbox environment that you can save as .prg files.
I put a few sample programs in the samples subfolder. Some of the animation samples (like solar system) set up timers which may persist even after cleared so you might need to reload the page to clear those.
It takes a while to extract (lots of little files for all the libraries) but once it extracts you can run the html page and I included a sample program 'Demo Fiddle.prg' you can load and run to get an idea.
I added syntax highlighting editors (EditArea) which seems to work ok and let's you zoom each editor full screen.
The idea would be to take the best third party javascript libraries and make them available and even make shortcuts or minimal API for making it easier to use them. Common global variable, global helper methods, ide manipulation. I'd like to include jqplot for charting graphs, maybe for mathematical programs and provide api for user to do their own I/O within the environment.
These are just rough initial demos, and obviously open source so if anyone wants to take the ideas and run with them i'd be interested in seeing what others do. Otherwise I will slowly evolve the demos and release when there are significant changes.

Encrypted Notes App Cross Platform

Looking for a note taking app that encrypts it's contents but with cross platform access (e.g. Linux or Windows).
It can either have clients for Android, Linux and Windows or it just encrypts notes and saves them as text files which can be read easily on other platforms.
Any suggestions?

Hmm, i still have this problem myself as i hate putting personal data online.
I've been searching for a simple solution for quite some time and yet nothing optimal arised.
I have 2 approaches to this problem:
1 The simple way:
Use a cross platform password manager which has the ability to store notes like:
StickyPassword, SafeInCloud , etc ...
Do this if you can trust them and beleve their claims.... :laugh:
2 The hard(core) / paranoid / scratch your head with your foot way:
a) Find an android note taking app that saves regular text files eg: Jota
b) Use GnuPG (pgp) on your desktop and OpenKeychain on android to encrypt/decrypt your txt files
c) Use your favorite cloud storage provider client to sync your encrypted txt files
This solution has so many many things to overcome
- Setting this up is not as easy as my bullet points
- Maybe some steps can be automated
- Data (text files) on your devices is stored in plaintext and duplicated in encrypted form which poses some risks when you loose control over your devices (stolen/lost) this can be solved by using full disk encryption and/or deleting the plain text files after encryption
Sorry for may bad english & for being a bit elusive

Framework discussion

Hi all,
As part of a class I'm doing, we are required to post some content to a forum to engage in discussion on security:
.
Cross Site Scripting (XSS)
OWAPS describes Cross Site Scripting (XSS) where a website has been marked as a trusted website, which for some reason, can run malicious code or scripts through inputs such as forms. As the end user’s browser sees this site as trusted, it allows the malicious script or code to execute, which can give access to client side information before it is encrypted (such as usernames, passwords, session IDs, cookies, etc).
In PHP for example, a normal input box where a user would enter their name, would be able to enter the following:
When PHP prints this back out after submission, it will execute the script between the script tags (In this case, just a simple popup).
In this scenario, this can be solved by wrapping the input value with htmlentities:
This would print any script as literal text rather then executing it.
In Java,
XSS is still a major issue, both due to some sites not implementing simple work around such as htmlentities or htmlspecialchars, or for reasons where these cant be used. XSS affects PHP applications by as much as 86% - its PHPs biggest vulnerability.
In Java, the easiest method is to simply validate inputs and to encode special characters (<>[email protected]#$%^&*). Alternativley, OWASP have a XSS class which includes easy methods to best prevent against certain types of XSS.
Code Injection
Code injection is where using the sites scripting language, you can inject (rather, have the site pull) code from somewhere else.
For example, php can call one of its own pages like so:
however, if we replace the contact.php page with an external hosted script:
This will cause the enduser to execute that script. This all comes down to PHP validation which is coded within the PHP to ensure only valid respsonses are accepted.
This is unlike command injection. Command Injection is an attack which is designed to execute commands on the PHP hosted system (server). This can be done where most parameters are passed (headers, input boxes, etc) and will typically display any output on the returned webpage.
For example, to return a password for a certain user, you could use a command like:
Typically, to prevent such commands from executing, a whitelist of command can be made, whereby only those listed are allowed to be executed on the server. Alternativly, it is recommend where the application needs to invoke system side commands, to do this through local python scripts, rather then PHP calling the commands.
CRLF injection
CRLF injection comes from the elements CR (Carriage Return) and LF (Line Feed) – together (CRLF) this denotes a new line (done simply by pressing the enter button). If a website for example, allows you to upload a file, an attacker may name this file as follows:
This would result in a system command being carried out to delete everything in the /bin folder.
It also allows an attacker to write to the log file, by creating it own new line. If the logs are configured in such a way that they will email out any WARNINGS or ERRORS, an attacker may add these to a new log line repetitively, backing up the email and bandwidth.
The simple way around this is for JAVA to sanitise any input strings, either through substituting known commands, or through methods such as
SQL Injection
.NET SQL Injection allows an authorised SQL command to be sent to the SQL server and executed.
An SQL string may be built using inputs from a form. A possible example of this is:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail';
where the red is the text from an input field.
However, we can modify this string which can allow some malicious stuff to happen:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail'; DROP DATABASE members --';
Adding the red text to the email input box, would allow us to delete the whole table, or alternatively insert a new record into a table, or possible delete records, modify records (change passwords), or even delete whole tables.
To prevent this, you can limit the damage an SQL injection can do you using proper database permissions (deleting records, tables, etc), and to also use good sanitisation – look for -- or ; in any field and invalidate the data if it has these characters.
Directory Traversal
Directory traversal can also be referred to as a “dot dot slash” attack.
In php, a resource (page) can be called as follows:
However, it may be possible to get other files, not even part of the web directory using the following examples:
The easiest way to prevent this is to assign proper permission on the server itself. However, many web developers do not own the server, therefore, another layer of protection is fully qualify the file path, with the root being where the webpage sits.
Connection String Injection
Also known as connection string pollution, it is possible for an attacker to inject parameters into a connection string to a database. Typically a connection string is built by delimiting each value with a comma. In an injection attack, strings can be built using semi colons as a delimiter.
A typical connection string to a windows SQL server may look like the following:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+;
However, if an attacker places a rouge windows SQL server on the internet, and then uses a connection string like follows:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true;
This allows the target windows SQL server to connect to the rouge server using its own Windows credentials, exposing much data.
Backdoors
Backdoors can be common within applications and web applications and can occur across many types of frameworks, however, it’s the security around the knowledge of backdoors, and what they allow, which can be of concern. All modems, routers and some managed network infrastructure have administrator usernames and passwords. However, sometimes, the network vendor (CISCO, NETGEAR, etc) or ISP may choose to put a backdoor access onto these devices. This may be in case a user forgets their administrator credentials, for automatic firmware updates, or for remote troubleshooting. Some of these backdoors may allow for more settings then what is normally shown to an end user.
For example, some older Optus supplied modems had the hidden user: Admin, and a password of: Y3S0ptus. This was standard across thousands of supplied modems. The problem was, the end user had no way of changing the default setting for remote web access from Enabled to Disabled, which meant anyone that knew of their IP address or domain name, could now remote access their modem router, add port redirects, and now connect to devices within their LAN.
In the case of ISP provided modems, it might be safer to simply by something else, not supplied by the ISP.