I'm developing an app for Android which needs data of my server. My doubt is:
Is it safe to make a query from android to mysql?
Because... I was thinking to obtain a JSON with a PHP file, but I believe this is slower method. So, now i'm trying to make a query to mysql server without any PHP file, putting the password and the user of data base in the android project.
I need to know if someone could decompile my app and see my credentials in java files.
Are there other methods?
More than "safe", there's not a native way to send data from Android to a MySQL server. The correct way is implementing a web-service that receives the query (for instance, via HTTP POST), then handles it, connects to the local (or remote) database and executes the requested query (and possibly returns the result if needed).
As far as security goes, this seems to be a totally different question, but in this kind of architecture it seems that a Asymmetric encryption algorithm is what best fits this kind of transactions, as you can hardcode/download each time you need the public key for encrypting messages and they'll be only decrypted by the server side using the private key.
Hardcoding credentials into your app is pretty much a bad idea, because if someone who has some knowledge about this subject, will try crack you app, and if your app manages some financial sensitive data, they actually will try triplify efforts.
How to securely share key between two remote devices?
How dangerous might be publishing a public key?
You should be aware that people can always get the db user and password from the application. This allows them to login and drop your tables in the database.
Therefore creating a small web service that will do it for you gives you more security, since you can decide what operations is allowed to perform to the database.
Using a RESTful (in your case)PHP framework is the way to go. You can then use data from JSON or XML in your application. This way is definitely not slower. You can use this framework:
http://www.slimframework.com/
Or whatever your are using right now.
Related
Background
I am trying to make a public facing API that is gated behind an OAuth2 workflow. I've found example database designs using JPA Repositories/Spring-OAuth2, which is the framework that I'm using. I basically have this application, which is currently using an InMemory authentication, which I'm trying to convert to pull the data from a database using JPA Repositories and a relational database design.
I did find this guy, but the problem is that it doesn't account for how the data is related to one another.
IE I was hoping that I could split the scopes into a separate table so it'd be as simple as adding additional scopes that are available for apps later on. I was also thinking of adding support for having types of OAuth clients, such as bots, website, desktop app, mobile app, etc.
I'm assuming there is some sort of a relationship between oauth_approvals, oauth_refresh_token, oauth_client_token and oauth_client_details. I want to also make sure that it's possible to map an oauth client to a user. Ultimately I'd like them to be able to have multiple clients.
For my current use case it's definitely overkill to have this flow, but I am using this application to learn about different technologies.
What I currently have
I'm sure this can be done better, if so how?
Questions
How do I properly make the relationship between the different components of an oauth client?
How can I make this so that I properly allow a user to have many clients?
How would I be able to dynamically get a client from the database, or is this handled through ClientDetailsServiceConfigurer.jdbc()?
How would I be able to add types of clients to the flow?
If you have additional questions let me know and I'll be more than happy to update my question.
New to android programming and want to save basic student information in a database. What is the easiest and simplest way to store this data so it can be accessed by multiple devices remotely at any time? I know that android supports sqlite but this seems to be only locally on one device. Any ideas or suggestions?Eventually want to publish application on google play and want users to be able to see students names in their class for each class.
If you're not interested in setting up and maintaining a remote server, Firebase is fast, free to get started, and operates in realtime:
https://firebase.google.com/docs/database/
It seems you've answered your own question :) Place your relational database, such as MySQL, on a remote server. Create an API that performs CRUD operations on the database tables.
Then issue requests to the API in your android app: https://developer.android.com/training/volley/index.html
Yea you basically answered your own, I highly recommend using retrofit2 for android for http requests.You’ll use annotations to describe HTTP requests, URL parameter replacement and query parameter support is integrated by default. Additionally, it provides functionality for custom headers, multipart request body, file uploads and downloads, mocking responses and much more.
Here is great link to get started on your way to happy life:)
Ideally you would want to create your server to handle request and give responses, and android client for those request, if you are going the custom route you probably want a node.js server, or php server. You can even use socket.io to spice things up for real time communication, or maybe some notification system from firebase. Firebase is awesome, it handle all the aforementioned.
For the database portion if you decide not to use Firebase, please do not Raw SQLite you will have nightmares, use something like Realm it is NoSQL ,fast and easy to perform database transactions.
I have a JAVA application (Jersey, Hibernate, Spring) which is using MySql as database. Application is running completely fine. Now my client wants me to encrypt all data in database because it hold some confidential information as well. so for example if anybody directly logs in to MySQL he/she should not be able to view actual data but the encrypted data.
Actual data should be shown in correct for only using application.(In application we are maintaining user rights).
Please suggest do I need to make change at application layer. Application is quite big and if make changes for each and every query while inserting and retrieving data, it would take alot of time. Please suggest if there is any alternative way.
Regards,
Alex
MySQL does not provide transparent data encryption by default. I quick googling reveals some add on products that claim to do what you are looking for (personally, do not have any experience with them):
zNcrypt for MySQL
MyDiamo
I think you should evaluate these options.
I'm using JDBC to connect to a PostgreSQL database. We are trying to block access to the database for the users themselves; instead they should be forced to use our frontend. We blocked access to any table, and gave only procedures, which do all the work for users, still not giving them any opportunity to access data directly. We tried to block access to schema pg_catalog, which limits users to procedures we created, but it seems that this access is needed for JDBC to call any procedure.
Anyway, the question is either how to use JDBC without access to pg_catalog, or how to authorize only connections made by application, not user.
There is no fool proof way but the simplest is to use a username and password for the connection that you do not give to your users. Store the password in an encrypted configuration file. Ofcourse the encryption key can be retrieved from the application by a smart person.
For a really save system it would probably be best to put a service in front of the database that handles all security and provides a high level API to access the data and let the client connect to this.
The DBMS is being presented with a Catch-22 situation:
When a user runs a specific JDBC program to access the database, let it do its stuff.
When a user runs any other JDBC program to access the database, do not let it do its stuff.
How can the DBMS tell the difference between the two programs? As far as it is concerned, they are both clients that are using the correct protocol to communicate with the DBMS, and have identified themselves as a legitimate user of the database.
To make it work, you have to find a non-subvertible way to distinguish between the two applications. That is not trivial - to say the least.
There are kludges, but there isn't a clean solution. It is a generic problem that any DBMS faces when the problem is presented as in the question.
Well, just don't give your users an account on your postgresql database and create only an postgresql account for your application.
I am designing an enterprise security server for our company - we own many different applications, most written in java and a few written in PHP. I could provide a remote API that would give each application access to the server. I could also create 'agents' that each application could include that would do all the work for them, but allow my server control over their sessions and thus their authentications/authorizations. Issue is I would probably be better to write the agent in java because 80% or more of our apps are in java.
If I wrote the agent in java does anyone know if there was a way this program could access the php session? If not does anyone have a suggestion regarding a better way to go about doing this?
The session data is stored as a (php) serialized array in a temporary folder. The locations for these are set in the php.ini file.
But you can change both the format of the data and the place it is stored (e.g. to a database or shared memory or somewhere else) by writing your own handler.
A quick google suggests that several people have written [de]serializers in Java for PHP data. e.g. http://hurring.com/scott/code/java/serialize/
If you have problems with the built-in PHP serialize function - have a google for WDDX (which IIRC comes as standard) and serializes data into XML.
You might want to think about how you keep the session data appearing to be active to PHP if you want the agent to continue independently of the web session.
C.
You can hook into PHP's session handling using session_set_save_handler() (an example for a simple but complete custom handler is included in the manual). You should be able to synchronize PHP's session management with a central Java server that way.
Your PHP application would receive a session ID through a cookie ($_COOKIE["SESSION_ID"] or whatever).
Your custom session_save_handler would, instead of maintaining a session store of its own, pass that session ID to your central Java-based security server, and get all the session data in return. Writing into a session from PHP would be routed the same way.
You could of course also go the other way, and poll PHP's internal session data from the outside, but wouldn't quite understand what exactly for. If that is the case, can you go into more detail there?