I am using IBM workLight 4.0 version, currently i am developing a simple insurance applicatoin, everything is done well. After Android setup has taken, from the .APK (android setup file) i can extract the HTML5 and javascript source. I felt it is insecure from the hackers and might be missused by someone.
Can you please anyone can tell me how to secure code in Setup/deployment?
The answer to this is Obfuscate you code before you create an APK. For more information on obfuscation visit wiki.
I previous stackoverflow post tell how to do it for android.
How to avoid reverse engineering of an APK file?
For Javascript obfuscation visit this stackoverflow question
How can I obfuscate (protect) JavaScript?
And one more thing HTML cannot be obfuscated, you can see the HTML source and associated css by pressing F12.
Worklight 4.0 was still in use in 2013? :)
Android Proguard is unavailable to Worklight-based Android apps in Worklight v4 to v6.2 (current release).
The only way to add some degree of obfuscation to an Android app in Worklight is by using the Google Closure compiler. You can follow the steps to do so in the following blog post by Anton Aleksandrov: Obfuscating JavaScript code in Worklight applications.
Note:
Wikipedia defines code obfuscation in a following way
In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code. Programs known as obfuscators transform readable code into obfuscated code using various techniques.
Two important things to be noted from the above definition are
- The purpose of code obfuscation is to conceal its purpose, prevent tampering, deter reverse engineering or puzzle someone reading the code.
- Obfuscated code is difficult for humans to understand.
So basically obfuscating your code means converting it to a format that is difficult for humans to read. Not impossible. Just difficult.
Therefore - it is very important to understand that code obfuscation, especially in JavaScript, is a relatively weak security measure. Most modern web debugging tools are smart enough to "prettify" the obfuscated code reverting it to a much more readable (however still not original) format.
Related
I am trying to build a desktop app.
I am thinking of using electron on the recommendation of a web-developer friend of mine, but as I am the only sole developer, I don't have the means to test the software on different platforms(OS, hardware etc.).So I am anticipating that this will cause a problem later, in the end, to test/debug software on different platforms and different OS.
I have ruled out web-apps because of some privacy concerns of the users for the remote data hosting.
Software is pretty lightweight and is almost equivalent to the image viewer apps with some slight modifications.
How to solve the problem of variations of different platforms?
Any literature suggestions pointing me in the general direction are also welcome.
Sometimes it helps to think of Electron as two processes.
The renderer vs the main processes. Generally the renderer process which runs the HTML/CSS/JS is it's own isolated component, and you communicate to the main process using IPC.
So generally for the UI, you can use mostly any web based testing framework to test reliability. At Amna, for example, we use Cypress as our E2E testing platform. You an also use something like QAWolf. Both should work with localhost. In general, most website testing tools should work fine, and consistently across platforms.
Where this gets tricky is when a UI functionality makes a call to the OS or the main process. For example, saving to the disk, or launching a program.
The general flow is this, and I've yet to find radically simpler options:
Set-Up a VM or buy a machine with the corresponding OS. I used Spot VMs in Azure for this.
Manually test the scenarios you care about in each VM before you ship
If you have a lot of cases that rely on the OS, then you should be able to further optimize this by using an automated test runner like Spectron.
From experience, what I've realized is that most of the iterations I do happen more on the UI than the underlying functions with the cross-platform capabilities. And if your code has good separation (e.g. contextIsolation:true, nodeIntegration:false), it should be pretty obvious when you need to do an entire "cross-platform" test vs just UI tests.
I'm not familiar with a lot of large-scale electron testing frameworks, I do know that ToDesktop handles package building and generating binaries to perform a smoke test and verify things open across different operating systems.
It depends.
The answer depends on what you are building, so it makes sense to figure out what you actually want to build. Some questions you might ask yourself:
Do I need a database?
Do I need authentication?
Do I need portability?
Do I need speed to market?
Do I want to pick a language I'm familiar in?
These are all good questions and there are dozens more we all ask ourselves. However, back to your original question.
Electron is a fine choice
Yes, there are alternatives. But Electron is used for Visual Studio Code, Facebook Messenger, Microsoft Teams and Figma. Choosing Electron means there are other developers making apps and there are proven apps in the market so you don't have to worry about a dead ecosystem.
Electron is easy to onboard if you know web technologies, think js, html and css. If you know these, you can transfer your web dev knowledge and make a cross-platform app. You don't have to worry about learning each OS since the UI is the webpage which will look mostly* the same between each OS. (*some very minor differences, but essentially the same).
Cross-platform deployment is easy
There are a few ways of bringing your app to multiple platforms, I happen to be most familiar with electron-builder, but the other two solutions work as well.
Many templates to start with
I am biased, since I'm the author of secure-electron-template which is one of the many templates you can choose from when starting an app. However, I recently reviewed all Electron templates and found that only 4 do not have serious security vulnerabilities.
The Electron framework frequently is updated, and over the course of the past few years there has been a shift in the way Electron apps are made. Some earlier frameworks didn't have good secure defaults which some of the older Electron templates inherited and thus, aren't as secure as new frameworks that follow security guidelines.
If you decide on Electron, give my template a try. It's got a number of features I'm building out in order to help the community with features they might want (ie. internationalization (i18n), saving local data, custom context menus, page routing, e2e unit testing, and how one can use license key validation, to name a few things).
I'm searching for a well documented XACML3-Framework in the open source world. I tried AuthZForce and AT&T XACML. Both seems to have many features. The problem: to get them running, I have to read the source code or find test-classes. There are no examples or anything else, that helps to understand the functionality of the framework. I thought XACML is the future of authorization but at the bottom there is no real community.
Is there an XACML-alternative for ABAC-implementations or is there no other way and I must use RBAC with programmed constraints?
Regarding AuthzForce Core (Java library), you have a tutorial on the home page of the github project: Getting started; and an example of usage with a PEP in a real-world scenario. If you are missing info on something, feel free to contact us on our support mailing list. I also emphasize the fact that all Java classes have Javadoc and Javadoc artifacts are published on Maven Central with every release. You can download them manually or make sure your IDE is properly set up to automatically download them when you use Maven dependencies in your Java project.
WSO2 IS can help (opensource):
https://docs.wso2.com/display/IS510/XACML+Architecture
http://wso2.com/library/tutorials/2016/02/tutorial-how-to-enable-role-based-access-control-for-wso2-api-manager-using-xacml/
Policy handling can be done via web interface (Carbon).
Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx
In a nutshell: is RadPHP a toy? or can you build real web sites, such as a e-commerce/shopping carts app that will:
Support 100s of simultaneous users on a reasonably good web server, like any other PHP app
my specific concern is the RPCL library might be bloated and inefficient
Be easy to assign the CSS hooks and integrate CSS files supplied by designers
Be as easy as 'plain' PHP programming is to talk to external sites such as payment gateways
Easily integrate third party components; Javascript and PHP e.g. Lightbox, eg CKEditor.
I am coming from a Delphi background, not PHP, so please excuse my ignorance and trouble at evaluating RadPHP XE2's potential as an easier way to transition to web development without sacrificing potential to scale.
It has a demo app created for oscommerce the well known open source e-commerce app.
Yes
No appearent barrier.
It already has components integrating 3rd party stuff such as zend, qooxdoo, jquery etc..
I'm also coming from delphi background with almost no php. Currently I'm developing a prado framework based ERP application using eclipse as ide. On my leisure time I'm toying with radphp, and I think we could have used it as well as the eclipse-prado kit but I'm in no place to make the decision. In my experience radphp is developing well into form. The first releases / versions were really sluggish. But XE2 looks solid. If vcl for php is fine tuned for performance in the future releases, radphp will have better days.
This may be a too broad question but how would you develop a simple web-based IDE/editor? For a lecture I was thinking of a simple editor where you could enter some sort of code, press compile and then display the results, error messages etc. in some way.
Does anyone knows some examples (with source code maybe), or any suggestions on how to do this conceptually?
Or you could try http://codepad.org/
You might also be interested in taking a look at the very new Eclipse Orion project, in particular the architecture overview: http://wiki.eclipse.org/Orion/Architecture
Koding provides a framework for you to develop html5 applications with access to a real Ubuntu VM with Root. The idea for this post, being that you can develop an IDE that works with Client and Server languages, without having to deal with security of giving people access to machines that you are hosting. Security is hard with machines and avoiding exploits