Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx
Related
Currently I'm creating an open source project and I want people to participate in creating the backend code, a simple API. May sound newbie, but ive been told that I should never make public my backend code, for security reasons. Then how can people collaborate making the API if they can't make it public. They should secretly send me the code or there's no security issues by doing so.
Thank you very much.
No, it is not a security issue itself. There are lots of good well-secure open source backends and libs to write backends are published in open public repositories.
And the opposite, if you deploy non-secure backend (i.e. with bugs, old exploited libs, etc.), even the privacy of your source code will not help you. Public source code will make it faster to break into, but it does not make it less secure comparing with the private code.
I have made a small text based game using VB.NET in a Windows Forms application but it seems that people are a bit hesitent when it comes to downloading exe files. What would an easy way to have it work as a web application without having to rewrite the entire code?
There isn't an "easy" way to turn it into a web application. You can take all of your logic and put it into libraries (Class Library), but you'll need to write new front-end code for both the desktop and web.
If you are wanting the web to accept user input and such without constant reloading, you'll also need to make a web service to talk to using jQuery or the like.
For what it's worth, if anyone is hesitant to download an EXE, then they don't need it. I used to publish installations for VB6 applications on my website years ago, and I had downloads and referrals from all over the place, including educational institutions.
Also, if you are direct linking to an EXE, consider packaging it up in a ZIP along with a readme file.
Background:
One of my clients' websites has become a malware infested hotbed.
Disposing of the malware has proven difficult and time consuming, and, in the meantime, we still have had to do work on the site.
For now, we went to some trouble to do our work - creating a disposable VM to just run a web browser, so we can see what the site looks like for the designers' work, for example.
I'm wondering if there's an easier (and faster) way to get an idea what the design of the site looks like. Not everyone on the project is tech savvy enough to be trusted with, for example, properly handling switching VMs.
Question:
Is there a method for safely seeing what a malware infested website looks like (for example, a service which will browse the site for me and send a screenshot), one which ideally is easy and simple enough to use that I can trust our non-tech-savvy designers to user?
You might take at look at Internet Archive: Wayback Machine to see if the site has been archived.
If a screenshot is all you need, there are several online browser simulators, such as Net Renderer (which will run any inputted web URL in a given version of Internet Explorer and then supply a screenshot). You might also try BrowserStack, which requires an account, and is not free, but does have a free trial period, and offers more than Internet Exploder.
You could also try running a browser in Sandboxie, which is simpler to set up and use than a VM (you just install it, and then use the windows right-click menu to launch any program in a sandbox of your choosing). However, it isn't free for commercial use.
I don't know if exist a standalone tool to parse a website for malwares, but I think this can help you, it's a google tool that you can you with a request and they will send you a response.
Follow the link:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328
Hope it helped.
Is it possible for a website to automatically find a folder on usb stick and upload all the files in it to the web server by clicking only one button?
The problem is that I don't know how to make upload form automatically detect usb stick as the drive name(ie. G:, F:, etc) may vary from computer to computer, so hard coding path is not possible.
Ps. I'm using yii framework for site development, but can add a new page that will handle this in any other language as the client really wants this feature.
Web sites are not allowed to set default files to upload (it's a major security risk!). Also, web sites cannot scan the hard drive/enumerate what file systems exist on a system, again, for security purposes.
It might be possibly to do this with Flash/Silverlight/Java. Java seems the most likely to allow a web developer to do this (Java plugin seems to be quite willing to give out every permission under the Sun).
Short answer: No.
Long answer: Allowing automatic uploads in web browsers would be a huge security hole so the browsers intentionally prevent it. Even if you manage to find a hole that permits it, the browser makers will break it as soon as they find out.
However, if you have an environment where an actual separate program can be installed on the end user's computer you could easily write a program to do automated uploads of specified directories when launched.
I know you use the C based networking API to do FTP communication but I'd prefer to use something a little higher level. I've seen a few Objective-C based wrappers but I'm not sure what to use. I don't need that complex of FTP interaction. Its just the typical create/delete dirs, upload/download files... What do you recommend?
Edit:
Here is one that looks promising but I can't get it to compile for the iPhone SDK
The ConnectionKit
This may help, but you may reconsider design for reasons stated by bbum:
http://code.google.com/p/s7ftprequest/
The reason why you can't find much in the way of useful FTP client software is because FTP isn't used much any more and is generally actively discouraged from use.
Without great care, it is quite easy to create big old security holes when using FTP (when I ran a consulting company, the 3 times we had infected machines were all because of FTP server security holes or exploits -- one time, the damned HP copier's FTP server was the attack vector!).
FTP is also inefficient unless carefully configured.
I would encourage you to use an HTTP based protocol. WebDAV allows you to do basically anything FTP can do, but does so over an HTTP channel. Thus, it'll work through proxies and the like. Heck -- HTTP has become so ubiquitous that pretty much everything works with HTTP.
And, of course, there are plenty of good HTTP client APIs built for Objective-C.
Obviously, if FTP is a requirement for your project, this answer won't help you much....
After not finding anything that works well I decided I'd go ahead and follow Apple's tutorial on how to do FTP. It sure is a PITA but at least it does work. I'm defiantly going to support WebDAV in the first revision my app, and eventually perhaps some other transfer methods later on. I think I'm going to consider releasing this open source after I get FTP & WebDAV working good, since there is no reason why you should have to do this much low level work to do such a basic and ambiguous task as FTP these days.
I've implemented FTP file download and upload, directory create and directory list download through the regular FTP possibilities in the iPhone SDK. Note: you'd be passing the login name and password as part of every FTP request unsecured. Apparently no apparent connection to the FTP server is maintained at the app level, like with a real FTP client app, that I haven't been able to find for iPhone yet. If you're interested in the source code please let me know through e-mail.
GoldRaccoon isn't mentioned and can be found on GitHub. I use that library and it works very well (besides it didn't support FTP rename)