I know this sounds like a pretty simple question but I want to make sure that I am going about this in the right way before I begin coding. I am trying to hardcode a tab for a standard website (I don't want to use any other software/programs if possible) that is visible to all users but can only be accessed by people with certain permision levels aka admins. I am getting all my user information from a database file (lets call it users.txt) that is set up/contains the following: -username -password -permission level. So here is my thought proccess on this so far: grab each full line from the database, if(permission level != 1) then(alert message pops up and brings user back to home page).
So here is my questions:
-First off is this even the right way to go about this?
-How do I get a full line from the database and store the info in created variables? I want to try and get the info from the DB line by line, and store them in temp variables and see if the user logged in matches that information. (I guess this would go first when the user logs in and store the permission level info for later use aka when they try to access this tab).
Thanks in advance.
This doesn't sound like a good idea. Firstly I would recommend using an actual database, e.g. SQLite. I also think storing user permissions in a file is a particularly poor way of ensuring security (as the user can just edit the file). Using a real database will allow you to extract the users permission directly from the database without having to search. Furthermore depending on the database you chose you may be able to use various integrity features for security.
I would recommend, that you put the information in a database, then use the logged in user's information to pull the correct permissions level, and if it is high enough load the tab. Depending on your security needs you can also enforce some kind of integrity checks on the database and loading the tab from an external source (although in reality you would keep the tab's code encrypted on the device and requisition the key from a central authority).
Related
Context: I have two apps, both signed with the same signature. The first app has data stored in internal storage that I would like to migrate to the second app.
Question: How can I access the data in the first app from the second app? The Android documentation makes reference to "signature permissions" (https://developer.android.com/guide/topics/permissions/overview#signature and https://developer.android.com/training/articles/security-tips#StoringData) and hints that it is possible to share data between apps with the same signature, but I cannot find clear guidelines about how to do this.
It seems like it might be possible by creating a content provider? Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
Ideally this process can happen with minimal intervention from the user, and can all happen from the second app (e.g. the second app can recognize that the first app is installed, prompt the user to migrate, and then read the data from the first app and move it to the second). It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
It seems like it might be possible by creating a content provider?
Yes. You can create a signature-level permission and use that to protect access to any of the standard IPC options in Android, including ContentProvider and Service.
Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
No, two apps signed by the same signing key to not run as the same user, let alone in the same process. android:sharedUserId has the apps run as the same user. This was never a great idea, is deprecated, and is likely to go away soon.
It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
That suggests that having two apps is a bug, not a feature, from the standpoint of the user. The closest you will be able to do to a "move" operation is "delete-after-copy", so plan your copies to be as granular as possible so you can delete as you go.
I have a system in Java where different classes stores different information. There is a main class where the user will input the information of these classes and make them interact with each other. After the user is done, he will exit the system. The Next time the user recompile the project, all the previously entered data should be there. The user can use that same data or add more information.
So Simply, How to pause/save the system on close and resume it when I execute it again?
PS. I can't use Database in this. It must be something else.
The Next time the user recompile the project
Users dont recompile projects. They just run your app.
You keep saying 'not DB', so, then, the answer is trivially: impossible.
A database, by definition, persists some data, hence the name: It's a base of data. If that's off the table, you're out of luck and what you want is not possible.
Perhaps you are careless in your wording there as well and all you mean is perhaps:
I do not want to bother with forcing the user to install a database
Okay, then, don't. Use an in-process database, such as h2. The user doesn't know an SQL-based database system is involved, all they see is a file appear. No extra processes are launched.
I hate SQL
Okay, then, don't. There are tools out there that turn an entire object structure into a bag o bytes which you can then save to a file, for example Jackson which can turn one object (which can contain all the relevant user data if you want) into JSON data, which you can then save to a file, and restore later. Of course, if someone trips over a powercable halfway through writing it, the file is corrupted. There are ways to fix that (save to .tmp, then move it into place, as that's usually atomic), but you're sort of committed to re-inventing the wheel here, due to your insistence you don't want databases.
I just want to save the entire system state
You can't. Not how java works.
Can't I do it with zero dependencies?
There's java's built in serialization system, which sucks, has a list of caveats as long as my leg on how to use it, and is more or less disliked by the maintainers of the java platform itself. This is not the way to go. It also still won't 'save the entire system state', it just saves one object, and does a much worse job at this than e.g. jackson.
I'm working on a java swing application that up until now was single user/role. Now I have a requirement that users should be separated into roles with different permissions. Each panel in the application will have certain permission requirements that will dictate its behavior (i.e. it needs permission P1 for visualization and P2 for editing).
After some research it I'll stick to Apache Shiro for my security/UAC framework.
My question is this:
Where should I store the required permissions for each panel? My first thought was to have them in the java class itself, but this seems kind of "hack-y". Another option was to have them stored in the database and link the class with its required permissions. But this creates problems: every time a new panel is added/removed permissions will have to be updated in the database.
If you have any pointers to how this could be done/was already done, i would be very grateful.
I think the safest thing is to store the permissions in the database (or any other centralized server). The advantage is that if the permissions change, you have only one central place to change.
If any security configuration is in the application, then after a change you would have to make sure that no user is using secretly an old version...
I'm trying to develop an application for taking backup for my device. How can I write this? Till now, I've got all the installed packages list and I'm placing 3 buttons for taking the backup(Backup, CheckAll, Cancel).
If I'm going to take backup button it contains one alertdialog it shows 3 options (now, later, cancel). How to take backup the installed packages to one new list and it'll shows by date and time. How can I do this? Any idea?
i don't know if its possible to do that. I remember that i read in an article that in order to access to other packages you need to use the same user that the app does, and from my point of view that means that all the applications that are going to be backed up need to have the same user. I'm not an android expert but i think it wouldn't be possible to gain access to the other packages if you try Java IO to read the files as you normally do.
Good luck, maybe someone knows how to do this.
I don't know what do you mean by backup installed packages.
Generally users keep backup of their database and preferences data.
If you want to take a backup of your database and preference then you can create xml of your database and preferences using xml-serialization.
More information about xml-serialization Click here
And also you can refer inbuilt facility for get backup Click here
I have an SQLite database stored in the assets resources of one application used to load UI and other stuff into the app, mainly just holding text nothing out of the ordinary. I want to be able to get a writable version of this database so I can modify it from another application.
Example:
First application is on the market with limited number of enabled features. User gets to a certain point where they need to buy extra content to do more stuff in the app. The original app has these features but they are not enabled in the app using the database. I want the user then to download a second app from the market which is just used to change one field in the database from disabled to enabled thus unlocking the new features.
I have an idea I may need to use content providers but my understanding is once created they are accessible to all applications. I need it, for piracy reasons I guess, to only be able to communicate with apps signed off by my key.
Thanks
Sam,
I understand what you intend to do, but you are going about it the wrong way. Your 'Unlock App' would not be able to modify the Database in the assets folder of your 'Free App'. That's just general android security model stuff.
You may want to look at this question: How can I use the paid version of my app as a "key" to the free version?
It describes how you can create a 'Unlock App' on the market to unlock features of your 'Free app' without needing to actually modify any of the original data in the 'Free App'.
Good luck