Am i using ATS with React Native Firebase? - react-native

i am using React Native with Firebase and i am trying to upload app to testflight to Itunes Connect. The encryption question popped up and i have no idea what to select. I did some research on ATS and encryption. I am assuming that firebase is using HTTPS calls ? If that is so, then i need to probably select that i am using encryption.
In which case i am asked, if i qualify for exempt or not.
I have truly no idea what these options mean and if any of that applies to me. It seems rather over complicated, which would be ok, but i have hard time understanding what applies to me.
I mean this sentence seems about right:
"Limited to authentication, digital signature, or the decryption of
data or files"
But maybe i am missing something ?
or this:
"Limited to “fixed” data compression or coding techniques"
Limited to coding techniques ? No idea.
So if i have basic app using Firebase for storing data about user/authentication etc am i using HTTPS ? Also am i then exempt or am i supposed to send them year-end file which i have no idea what means ?
On top of it React Native official documentation mentions that you are supposed to allow ATS, meaning you would definitely have to say you are using encryption, but then does not mention anything about encryption.
Here under Enable App Transport Security Link
I will welcome any explanation whatsoever as i feel kinda lost here.
Thanks

So your question is a bit off. ATS is an enforcement technique Apple uses to try to ensure any network connections your app make are protected using HTTPS (and other more rigorous requirements, like TLS version, forward secrecy, etc.). So ATS will try to force you to use HTTPS. Whether your React Native app actually uses HTTPS is up to you to know.
Basically, you can have ATS enabled, but add an exception to the one domain your app comminucates to allow the app to make those calls using HTTP. In that case, your app does not use encryption, so you can answer no to that question.
However, if you access any network resource with using the https protocol, you have encryption, but it qualifies as an exempt form of encryption.
You can simply add the following to your Info.plist:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
Unfortunately, that is not all. However, the good news is that if you are just using https, you will have a simpler process than if you are doing your own encryption / decryption.
As you can see in this page, you only need to submit a self classification report. It's relatively easy and you don't need to provide any additional documentation to Apple.
Your app uses ATS or makes a call to HTTPS:
No documentation required in App Store Connect. Submit a Self
Classification Report to the U.S. Bureau of Industry and Security
(BIS) directly.
Also, you can find more information about submitting that BIS form here: https://stackoverflow.com/a/45888609/3708242

Related

Correct use of PhoneGap SSL Certificate Checker plugin

Hopefully, as I understood correctly to safely transmit (post) data from a phonegap / cordova hybrid app to a server, I need a procedure to check the SSL certificate of my server. Am I right?
The tool PhoneGap SSL Certificate Checker plugin developed by eddyverbruggen (to be found here https://www.npmjs.com/package/cordova-plugin-sslcertificatechecker) seems the most user friendly tool available.
However, from the guide, I cannot deduce how to properly use the tool.
Is it sufficient to call the function window.plugins.sslCertificateChecker.check when the app is launched or;
Do I need to call the function everytime the user wants to post (and retrieve) data to (from) the server; calling the post function (an ajax function) in the successCallback?
Thank you
PS. I also encountered the Cordova Advanced HTTP plugin (https://www.npmjs.com/package/cordova-plugin-advanced-http) that seems less user friendly to me. I think it is a separate question, but if someone could give a hint about the differences between the two plugins, that would be appreciated too.

Implementing Account Linking - queries

I've asked a Google Dev Advocate for help as I'm struggling to implement Account Linking on my Google Actions app, he sent me a link to a documentation article I already had read and suggested I also consult Stackoverflow. Having already done the second suggestion too and having struggled to find the exact answers to my questions, I've deiced to link to the doc article here, add all my queries and send this back to the Dev Advocate in the hope to get more clarification, especially as a reminder that Documentation could be read by complete newbies on the topic and that nothing should be given for granted.
This is the article I am referring to https://developers.google.com/actions/identity/account-linking
My queries below:
What is the difference between implicit and authorization code flow. In the article "Authorization code" is chosen, why?
Although I have found on Stackoverflow where to get your Client ID and secret, don't you think it would be good to add a link in the article?
Authorization URL - this is something instead I haven't found a clear guide for. Some Stackoverflow tickets report 2 Google OAUth URLs can be used (For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth
For the Token URL, enter https://www.googleapis.com/oauth2/v4/token), but a recent change to google policy suggests
When implementing account linking using OAuth, you must own your OAuth endpoint
So I'm now extremely confused at what I should put in the Aiuthorization URL and Token URL - why isn't this documented in a more basic and clear way? I've also read it needs to be served over HTTPS, what if you're working on local and on a pet project which isn't commercial and you won't be able to pay for HTTPS?
What is Seamless Account Linking and why isn't this explained and documented?
If your app supports seamless account linking
Where should we whitelist this?
Whitelist the following redirect URI: https://oauth-redirect.googleusercontent.com/r/
What are your OAuth 2.0 client configuration details? Where can they be found?
In the expanded OAuth 2.0 form, fill out the fields with your OAuth 2.0 client configuration. When filling in scopes, ensure they are space delimited.
I don't see the Discovery tab on my Oneplus 3T Google App, where else can I find it?
Open the Google app and go to the Discover tab.
This is where I get stuck - as many other people on Stackoverflow I get "The account is not linked yet" error. Maybe resolving the issues above will resolve the Account Linking error?
Invoke your app. Since it's the first time invoking the app with your Google account, the Assistant notifies you that you must link your account.
In addition to those questions, I also have the following:
I would like to get access to the user calendar and user basic info so I've added profile, email and https://www.googleapis.com/auth/calendar could you confirm these are correct?
Thanks and please remember documentation should be for everyone!
Documentation is for all developers. However, keep in mind that some of the tasks might require you, as a developer, to learn more than you currently know. Coming to SO is one of the ways to do that, but there are many other avenues that supplement that.
Good original documentation does, however, help. Google's docs are currently just bad - they used to be terrible.
Update - Before we begin, let me answer a question you suggest, but don't actually ask.
Why do I need an OAuth server at all?
First of all - you don't.
Think of your service like a website and the Assistant as a browser. For lots of websites, they don't need to know who the user is in order to use the website. There are lots of things the website can do without a user account at all.
In some cases, it is useful to know that the user visiting your website has visited you before. Frequently, you'll use a cookie to do track users like this.
The Assistant has an equivalent to this, although it is slightly different. The Assistant sends an anonymous UserID with each message to you. This UserID is only for this user and for your Action - it isn't re-used for any other Action or any other user. So if you track it, you'll know when the user returns. Like cookies, users can reset or clear it, but for the most part, this is durable.
But sometimes, you might need a person to log in to an account on your website. This is what the OAuth server is meant to accomplish - give users a way to log into your Action. OAuth is a pretty standard way to let people log into services these days, although the intent is really to authorize a client to act on your behalf.
The latter is really what OAuth is doing in this case - your user is authorizing the Assistant to act on the user's behalf when talking to your Action.
(Update - There are now ways to avoid having to setup an OAuth server at all in some circumstances. See the update at the bottom of this answer.)
Now back to your questions
But... let's go over your questions.
What is the difference between implicit and authorization code flow.
These are two terms that are more carefully defined by the OAuth2 standard, but in short - both of them let a client (a remote server from yours - the Assistant in this case) to get a user to give certain rights on your server.
The Implicit flow is simpler, both in what you need to setup and what the two servers exchange, but assume that once you issue a token, it is indefinitely valid. This brings with it a slightly higher risk that someone can get this token and use it to impersonate the Assistant.
The Auth Code flow is more complex (although not a lot) and addresses the risks in several ways. One way is that some transactions are done server-to-server instead of including the client, and that those transactions include a shared secret. Another way is that the auth token has a limited lifetime, and therefore a limited window of exposure, but that there is a refresh token which can be used to get a new auth token.
In the article "Authorization code" is chosen, why?
Most likely because it is more secure for a minimal level of extra work. Most of the security issues it addresses, however, are most visible in more open environments such as browser and mobile - they're not as big a risk with the Assistant. However, for places that need to setup an auth server, going with the more secure route has benefits in other areas.
Most Google APIs use the Auth Code flow or variants of it. (Although most use it from the client side - not the server side. Which is what Account Linking for Actions requires.)
Although I have found on Stackoverflow where to get your Client ID and secret, don't you think it would be good to add a link in the article?
Well... except that SO answer is no longer valid. (And, apparently, was never intended to be valid.) As you noted in your next question, Google has clarified their policy that requires you own the OAuth endpoints you use for an Action. They have, furthermore, made technical changes that prevent you from using Google's endpoints. (And I've updated the answer to say so.)
While the "Configure cloud project" part is correct, and describes how you setup credentials to be used with the Calendar API, you cannot use Google's OAuth endpoints to do the auth for your own project.
So I'm now extremely confused at what I should put in the Authorization URL and Token URL - why isn't this documented in a more basic and clear way?
Because this is a point where they're making an assumption that isn't very clear in the documentation. It is suggested where they say "Step 1. Configure your server" that you have an OAuth server. If you have an OAuth server already, then you should know what your server's Authorization and Token URLs are.
If you don't, however, this does get further explained where they talk about determining what the endpoints will be for an OAuth service you're creating.
I've also read it needs to be served over HTTPS, what if you're working on local and on a pet project which isn't commercial and you won't be able to pay for HTTPS?
Yes, it has to be HTTPS. This is a requirement of OAuth, and good practice when you're sending tokens that can be used to do things authorized by a user. It sounds like you want to be able to issue API calls to a Google server, and if those tokens got out (or tokens that could be used to access the same resources), then your Google Account could be compromised.
You have a lot of options here for your local or pet project development. Just to list a few:
You can use Firebase Functions. For projects on a "pet" level, they're free. (And if your Action gets a little popular, Google Assistant will give you credits that should pay for a modest level of use.)
You can get SSL certificates for your server for free using Let's Encrypt.
Since your server has to have a public address, you can create a tunnel using ngrok, which also provides a public HTTPS address you can use. This probably isn't good once your project gets out of the "personal testing" stage, but is a good tool to start with.
There are other approaches, of course, but these are a few good tools that you can use depending on your needs.
What is Seamless Account Linking and why isn't this explained and documented?
It is. Except in the documentation they confuse things by also calling it "Streamlined Identity Flow".
On the Account Linking Overview page it says "For more information, see Streamlined Identity Flows about how to configure your OAuth server to support the seamless identity experiences on the Google Assistant."
This takes you to a page talking about how this flow builds on top of the other two identity flows and has some additional requirements, but should make the user's experience better.
However... don't worry so much about this. If you're just doing this for fun, the normal identity flows aren't that much of a burden. If you're doing this for a commercial product - get the normal flows working first.
Where should we whitelist this?
Whitelist the following redirect URI: https://oauth-redirect.googleusercontent.com/r/
This is one of the underlying concepts of OAuth - as part of the communication between the client server and your server, it will say to redirect to a particular URL when you're done authenticating the user and getting their permission to issue a token.
The OAuth spec requires you to compare that redirect URL to a URL that has already been setup for that client. It does not specify how you set that up. So Google is saying "When you setup the OAuth server for our client - here is the URL that we will ask you to redirect to."
Google can't answer where to whitelist this except "in your OAuth server". Most OAuth servers have a way to configure multiple clients, and this is one of the values you'll set for that client. (The ClientID and ClientSecret are other values, but Google lets you determine these values and tell it as part of the configuration for Account Linking in the Action Console. Which is your next question.)
What are your OAuth 2.0 client configuration details? Where can they be found?
Again, this depends on your OAuth server and your requirements for what you want to prompt the user when they try to login to your server. The ClientID and ClientSecret are two such parameters. The OAuth scopes that the Assistant should request access to are other parameters. But these are up to you - because it is your server they are trying to get access to.
I don't see the Discovery tab on my Oneplus 3T Google App, where else can I find it?
That documentation looks incorrect. I think that should say that you should open the Google Home app on your mobile device.
It is also possible that it does mean the Google app, in which case your phone may not support the Google Assistant as part of the Google app. You can download the Google Assistant separately, if necessary.
However - use the simulator to test initially. Although it requires a few manual steps, they are easy to follow and help you trace things.
This is where I get stuck - as many other people on Stackoverflow I get "The account is not linked yet" error. Maybe resolving the issues above will resolve the Account Linking error?
Well, your account isn't linked yet. {:
It sounds like you haven't set an auth server for your Action. Until you get an auth server working, the rest isn't going to work.
I would like to get access to the user calendar and user basic info so I've added profile, email and https://www.googleapis.com/auth/calendar could you confirm these are correct?
First of all, keep in mind that this whole process is to link the user's Assistant account to their account on your service. You may have information in their account (on your service) that you use to do things - such as access Google resources or access other things that you know about them.
This is not directly a way that you gain access to the Google account that they're using to talk to the Assistant.
In order to get a user's permission to access their resources on Google's servers, you'll need to get them to authorize your server permission to access that. That is done using OAuth, again, but this time you're the client. User's will need to go to your server, you'll redirect them to Google's server to authorize you, and they'll be redirected back to your server with codes that you will need to store. This is all done outside of the Assistant and it's Account Linking system.
That said, for what you want, profile and email are fairly normal scopes to request. The Calendar API Documentation confirms that the https://www.googleapis.com/auth/calendar scope is what you need to access that API. (Keep in mind that this URL is not one that you'd use in a browser or that you'd go to to access anything - it is a uniquely identifying name only.)
Update to reflect API Changes. Since this answer was originally written, Google has introduced Google Sign In for Assistant, which lets you avoid having to setup your own OAuth server when you are willing to tie operations to the same Google account they use on the Assistant. If the user permits, you can get simple user profile information this way, and you can then leverage this to get access to other APIs (again, with the user's permission). See this SO answer that discusses how to use this to access Google's other APIs.
Thanks and please remember documentation should be for everyone!
From my conversation with Google's Assistant team, they are looking to make documentation easier, and hopefully they will take many of your suggestions to heart. I hope these clarifications have helped you (and anyone else who gets here with similar problems.)

Pass Cloudflare browser check to detect whether website is online

I want to build a website availability checking service that would pass Cloudflare's browser check (aka "I'm Under Attack Mode") that gives a false negative error with isup.me no matter if a website is actually offline or not. Assume that there's no direct connection to the website as well.
Maybe Cloudflare actually has some API to check if a website behind its proxy is online? That would be perfect.
If it doesn't maybe it could be done the hard way. I'm thinking about node-webkit. It's a full-fledged web browser so theoretically it should pass the browser check. But I never layed my hands on node-webkit so maybe I misunderstood. Do you think it is possible and rational?
Any other ideas maybe?
The site owner specifically turned on I'm Under Attack because they were under attack, so what you're looking to do might actually not be helpful while they are under an attack.

Automatically using self signed SSL certificate

I'm creating a launcher for a game I'm making. To gain access to the launcher's menu the user has to first create an account on the game's site, buy the game using it, and then login to the launcher using his credentials. I've set up a php script on the server which accepts a username and password MD5 hash parameter (in the URL), checks to see if the account is in the database and returns relevant information to the launcher.
Since I'm transferring sensitive (albeit encrypted) information over the Internet I've figured that using SSL would be the best way to go about doing this. Since I can't quite afford a legit third party signed certificate I've signed one myself. It's bundled in the launcher and added to the trust store programmatically so that I can use it to connect to that php script and login without any problems.
Now this whole system I've described works just fine, but I've heard from someone that using a self signed SSL certificate without the user's consent is illegal in some countries (namely Denmark, maybe others). I've tried looking this up to see whether I should add some sort of confirmation dialog to the launcher but I couldn't find anything.
I'm located (and developing the program) in Israel, the server is in the Netherlands.
Does anyone know what laws my friend was talking about, and what I should do to avoid breaking them, as well as online sources where I can read more about them?
Some countries have laws against using encryption. Check out Crypto Law Survey for details on each countries' restrictions. The Netherlands appears to have some restrictions, if so, you might want to consider moving your server.

Integrating Mailchimp embeded form with an SSL website

I am trying to integrate a Mailchimp sign up form with my website. I generated the form in Mailchimp and copied the embed code to my site. The problem is that my site has an SSL certificate and when my potential clients try to sign up to my mailing list it gives them a security warning (in firefox) saying:
"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information"
Is there any way to avoid getting this warning?
Thank you very much for any help.
I was also facing the same problem using default embed code provided by mailchimp, but that wasn't working on SSL site.
So after Googling for solution i found this link:
Stop MailChimp Forms Breaking Your SSL
https://www.ostraining.com/blog/coding/mailchimp-forms-ssl/
and it wasn't a big problem simply need to change the url from list-manage1.com to "list-manage.com"
simply need to test after removing 1 from the list-manage1.com and it worked fine after that.
It also works fine for post-json embed urls.
Short answer. No
Longer answer. No, you are stuck with that warning. You are posting to an unsecured site from a secured site and the user will get this notification.
It's more work than a simple embed, but you can do this using the MailChimp API which has support for SSL. See the section entitled HTTPS / Secure Connections in the API docs.
You can edit the form Mailchimp provide to embed so that it uses https and not http in the action url.