I have an application that generates a barcode using a third party library. This barcode is not static and changes every 30 seconds or so from within the app.
I'm aware the proper way is to get a signed pkpass file from your server to supply to passbook, and use APN or some sort of trigger within the iOS app to acquire a new barcode. But...due to certain reasons...some of this is not viable at the moment...
So...
Ideally, I would like to be able to allow the user so that every time they select my pass, I'm able to supply them with the dynamically generated barcode (or pkpass file) from the application.
Is such a way even remotely possible? I know it doesn't really conform to "best practice"...
the proper way is to get a signed pkpass file from your server to supply to passbook
This is not just the proper way, this is the ONLY way! Passes cannot be dynamically generated and signed on the device as it would require embedding of your Pass Type ID certificate into your app.
Also, if you are generating and replacing passes with such frequency, the Passbook App will throttle your pass to preserve your users' battery and bandwidth. This would prevent your pass from updating.
An ugly hack would be to educate users to use the "pull to refresh" function on the back of the pass, then serve a new pass in response to the user request, but this would require a degree of synchronisation between your server, your app and the pass.
Practically, if the barcode is changing every 30 seconds or so, then there is a probability that the barcode expires before the user is able to retrieve the pass and present it for scanning. Perhaps there is a better way to achieve what you want without such frequent rotation of the barcode?
Related
I am developing an identity server 4 dotnet core application so this is as much as a dotnet question than and IDS4 question. One example of state I need to maintain between pages (login, signup etc...) is the returnUrl. The application I'm migrating from used to store it in a session variable but, as I understand, unless I run a persistent session strategy, this won't scale well.
So currently, I'm passing it around as a field in each View Model used by each view so it can be returned. Is this a sound approach? I'll be needing other fields to be passed around as well so I'm wondering whether this is a secure and logical way to do it.
So currently, I'm passing it around as a field in each View Model used by each view so it can be returned. Is this a sound approach?
Yes, how you choose to pass it around is up to you, I choose this same approach. You could use TempData, Sessions or even localStorage as an alternative. I think having it in the models (view models) is a good approach because you are explicitly specifying where you want the return url to exist, otherwise it might persist in context that you wouldn't want.
Now the security question because obviously you might be able to see the return url in the browser address field.
As part of Identity Server 4 setup you specify which return url's you are allowed to redirect back to, so I don't think there is any harm in having the users see the redirect url.
Something to consider is what if the user would share the url to someone else in the middle of the authentication process, would they be able to resume from that part of the process that the initial user has stopped? is this something you want in your app?
If you mean reliably instead of securely, write tests which will provide you with confidence that your code works.
I'm using php-pkpass library to create pass. Now can add only 1 pass at a time and I want to add multiple passes at once.
Is it possible to do this?
Thanks,
I keep seeing "NO" answers but I keep seeing companies(such as train companies) doing that just fine.
So I'm really curious as to why you can't but they can.
Short and simple NO
You can use for your own pkpass application.
The Passbook App scanner will only allow you to add a pass if ALL of the following are true:
The QR code contains a URL
The URL scheme is https and the server certificate is valid and can be authenticated (I.e not self signed)
The URL returns a Content-Type header of application/vnd.apple.pkpass
The URL body contains a single .pkpass bundle
Adding multiple passes via the Passbook App scanner from a single QR code is currently not possible. The only way to add multiple passes is via your own app using the addPasses:withCompletionHandler: method of the PKPassLibrary class.
What I am doing is, I have recorded a download event from APP on Jmeter, when ever i am running this API on Jmeter, a server where any download event is recorded, is showing OR increment that download on that specific time when it was recorded.
How can I use this to get updated data on server when Jmeter is running.
Also need some information on to how to add different valid users on Jmeter.
Thanks,
Abhi
My expectation is that you pass a hard-coded timestamp as a request parameter so you need to figure out the parameter value and substitute the hard-coded timestamp with __time() function which produces current time in different formats controllable via SimpleDateFormat patterns.
Check out How to Use JMeter Functions article for comprehensive explanation
In regards to adding valid users, normally people stick to users which already exist in the system and use CSV Data Set Config to give each JMeter virtual user unique credentials of the real user.
If your application doesn't have that much users you might want to setup a separate JMeter script to get them created as re-using one login with large number of threads is not a good practice.
I working on a simple vb application. But I want to protect it to give the user the option to use it only for a specific time.
So I was thinking to make a text file with a key-code (Beside Random characters, it contains an expire date). When the application is started after this expire date, the application should close automatically.
The location where this textile is location can be the same location where the executable is running from.
Does somebody of you have a good idea how to implement it? Or is there a easier way how to implement this
If you want to give a "Trial period" to your application you might want rather hard-code that to prevent tampering. Then, when purchased make a modification to registry and different files (maybe downloads a few files that "register" the application so that it recognizes itself as "full". To go one step further maybe periodically have the application reach out to your server and verify the license.
This is a huge subject that a lot of smarter people than me can weigh in on. I will note that this is part of a constant battle between developers and hackers trying to get around licensure.
To make software unlocked for some period of time, you can create text file on websites like Pastebin and add them an expiry date. Then make your software check if file is still valid.
Note that users can "track down" requests your software sends, never store your private information linked with your software.
You can also use HWID protection which ensures your software will work only if it matches hardware information stored in encrypted string.
You can hash other user's information like username, wifi name and so on, but remember that changing any of this information (OS, hardware or system information) will create new unique HWID, which may not match the previous one - resulting in failed HWID authorization.
To make bypassing protection harder, you can obfuscate your software.
I am creating an application and I want to have the application 'authenticate' with some form of registration key in order to cut down on piracy. I was thinking of perhaps building a string when the customer purchases the product and use something like MD5 to create a hash.
The question I have is where is the best place to store this key once it's entered.I am also curious how you design the application to require it or not allow it to run.
EDIT:
The application is written in .NET and any server side techonlogy that will be used will interface with SQL Server database.
Some thoughts... is this a 'one time activation', or something that happens each time the app runs? Users tend to view the latter as a privacy concern. I've gone down the path of one-time registration, with an app called Protection Plus. It handles generation of the challenge/response, which is really the hard part.
PP creates a challenge key which changes each time the form is loaded on the client. With this key, the remote system generates a 'trigger code' using the challenge and a system code provided by the client. PP can be configured to create this system code in several different ways... a bios hash, hard drive serial #, hard drive volume label, etc, ...
When the trigger code is created (which does one of several actions), and sent back to the client, PP decrypts it and returns the correct integer-based action to take.
If interested, check it out:
Protection Plus Website