This question already has answers here:
how to allow only one vote for a rating system
(2 answers)
Closed 9 years ago.
I am building an anonymous voting system for my web application. My goal is to make a system that each computer (device) can perform 1 vote only. I know the best way to achieve this is not to implement it by using anonymous users but I am not too concerned about building a perfectly secured system.
I have searched about persistent cookies but I have soon realised that cookies are unique for each browsers not for each devices, then average users can easily figure out they can vote again on Chrome after voting on Firefox browser. I would appreciate if you can give me any suggestions.
What is the best way to build this system?
From how to allow only one vote for a rating system
# Mike Sherrill 'Catcall':
There seems to be no practical way to strictly enforce one vote per person on the web.
On computer networks, we often use surrogates for people. Some of them are
network or application login,
email address,
IP address,
cookies,
and so on. But all of these have problems when it comes to one vote per person.
For web logins, a person can usually make multiple accounts. (Especially if they're free.)
Email accounts are free, and many (most?) people now have multiple email accounts.
IP addresses might work, but only on intranets (implemented with one IP address per computer) with unshared computers (company policy of one person per computer).
Cookies have the same problems as web logins. (And they can be deleted by the user.)
If a vote is really valuable, some people will go to a lot of trouble to vote twice. But most votes aren't very valuable.
Related
I have been searching the entire WWW for a week now to no avail.
Here's the scenario in bullet:
Application is web-based
Technologies are Java, struts2, Spring
Problem/Requirement:
When a user registers in our website, I must know if the user has already registered before (but is now using a different login id). Note that the system will not ask for any personal information from the user (e.g.: Real Name, Address, Birthday, etc.)
I've tried:
Limiting using IP address.. But IP addresses aren't fixed. They always changed.
I was planning to use MAC Address. Basically MAC address can be changed, but if I remember correctly, common users can not just changed their MAC address unless they really know what they are doing... in that case, it is okay.. although limitation using MAC address is not 100%, at least the common users do not know how to change their MAC address, so as of the moment, me and the client agreed to use the MAC address.. However, I do not know how to retrieve the MAC address of the client's computer/laptop... and as I searched further, it is impossible to do so..
So I wanna know if there's a certain trick to implement the said requirement... Note that the client just wants to prevent a HUGE number of users with multiple accounts in our website...
Can this be done? Note that I did not ask for this requirement, this is a client requirement and I am kinda at lost after few attempts so I want to ask experts if this is really possible.
The best way that I can think to do this is to use a combination of information that you can easily collect through the user's browser. You can then store that on a database and use it to determine unique visitors. Here's what you can collect.
Computer brand, OS, and OS version
Browser(firefox,safari,chrome etc..)
Browser plug-ins (this is pretty good because most people have hundreds)
Display information (screen size etc..)
This is pretty good as I believe only 1 in about 4 million people have the same browser plug-ins as I do.
I am making a secure application which should not run if the mobile device is stolen/lost, or the sim card is changed. If I programatically uninstall my app it prompts user whether she wants to uninstall it or not. I want this thing in a hidden way.
One more thing is to keep a file in assets/raw folder and when sim card is changed i must remove that file and my app will not run without that file. But deleting the files from both folders is not possible on run time.
All suggestions highly appreciated!
I know about password protection, cryptography, Pro-Guard, Dex-Guard, keep minimum functionality on phone. Guys I must need a way to remove the App! Please help on that point
Thankx in advance!
One more secure solution is to run your app on some Android x86 servers and to pipe in only the user interface to the phone.
Disclaimer: I've never used those guys, so I don't know how good they are. I just saw their lightning talk presentation at the most recent AnDevCon in San Francisco, and I just thought it was a clever idea.
One added advantage that this solution provides is that your employee's personal content doesn't get mixed in with the content of your company's. In hindsight, it's an old solution that has worked quite well for PCs and remote workers.
I'm not sure if this is exactly what you are asking for, but it may address your concerns. In general, the big concern with a stolen phone would be data. If you are concerned about someone else running your application, it seems that authentication should address that. A secondary concern is that someone could de-compile your code to learn details that could lead to exploitation. So here are 2 suggestions that address these concerns.
Use Progaurd to obfuscate your code. That way if the device is rooted and the APK is obtained, it cannot be de-complied (at least not into easily understandable code). Reference.
If you store any data in a database on the device, be sure to encrypt it. SQLCipher is a free library that will allow you to do so. Reference.
Answering some other interesting comments I was pinged about:
A couple of things:
I am that guy who gave the lightning talk in AnDevCon Stephan Branczyk mentioned, but I'm not a heavy stackoverflow user so I do not have the privilege to reply. 50 Upvotes for this comment and I may be able to answer inline :)
I will however give my insights on this, so if you are "paranoid" about security and want to read more about it from the founder of a "paranoid security vendor" - you can continue reading it.
Otherwise goto 7.
It is very important to understand that there is no catch-all solution - so do not be naive about it. All Android security best practices are great - but up to some point, as your Operating System (ROM, MOD,...) can, and will be compromised. I do not want anyone to panic - but there is NO perfect solution.
Stephan is right about Nubo's security design concept - if you violate the terms - your are out of the game. If you're out of network, or doing something suspicious - well - the device is not in control, no matter what. We aim towards satisfying both the user in their personal space, and the IT managers in the remote Android space.
It is very important for me to say clarify it is NOT a remote desktop. It's not even close to it - we have developed a Display protocol for Android from scratch - intended for the mobile environment. This is nothing like Remote Desktop/X11/VNC/... for "PC".
Should you need a "perfect" solution, you need to have a "trusted" device, which involves hard-core hardware support + secure bootloader + block verification chains etc. You can learn from the ChromeOS project if you are interested but I assume you are not willing to take it that far.
Answering the original answer: It depends on what phone. If you want
to use the PackageManager - you need your app to have a System
certificate, which means that unless you bundle it with your own
device, or do other tricky stuff I will not get into in this post -
you can't. What you can do is to use the BIND_DEVICE_ADMIN permission in your manifest,
and essentially register your app as an administrator (Something like MDM, etc.). Then, with some more trickery stuff you can handle your problem on the nominal case. You could bundle another app with that capability, and just invoke it from your app if you want to be on the very safe side.
*This post is already way too long and referring to too many questions so if you have further questions please go ahead and ask. I will try to reply before 2014...
step 1 : write a process to run in background
step 2 : make the process be active when cell starts
step 3 : check for internet connection or balance
step 4 : if internet available mail yourself phone specific details like IMEI ,MAC ,IP whatever you think is important ,
step 5 : locating GPS location would be very helpful
step 7 : recieve these mails from the mail id registered in your app
This question already has answers here:
how to get a client's MAC address from HttpServlet?
(5 answers)
Closed 9 years ago.
i want to identify a client machine uniquely from servlet.
Basically my application is about to take visitors detail. In my application i have offers for a user who visited me first time. In this scenario, i need to get information of client's machine so that if get back on site then my application can recognize that from this machine client is already visited.
I am using JAVA SERVLET.
Any point regarding this scenario will appreciated.
Thanks in advance.
Using only Servlet technologies, it is impossible to get MAC addresses. MAC address detection need software running on the client machine - a browser plugin, ActiveX control, JavaScript script or something like that. It would also most likely trigger security warnings, if the browser tried to access such information.
Cookies should be used as a first method of returning visitor detection. It is quite easy to clear them or use a different browser, but the majority of internet users don't think about such things.
Going for MAC addresses seems needlessly invasive to me.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to get a unique computer identifier in Java (like disk id or motherboard id)
I am creating a small Java program. In there, I am creating a file called "James.txt". I am using this file to check whether the program has been moved from James computer or not. What I have done there is, writing Jame's computer's IP address to that file. So, when he start the program in the console, it will first check the file and will say "Hey James! Suprise!!!", and if the IP isn't belong to james it will print "Sorry, This is for James Party".
But, the case is, IP address can be changed even in the same PC right? So, how can I uniquely identify James computer? Please help!
MAC Address will change if the NIC is changed. Motherboard may fail and be replaced. The same may apply to processorId, hard-disk id and stuff.
Bottom line -
Develop an identifier for your application
Have your application maintain an identifier on the user's computer
When your application asks the user to identify himself/herself with userid/password/biometrics, validate the identifier too and then display the message you must.
Technically, you can't uniquely identify any computer because everything can be 'spoofed'. You can even change your MAC address as easily as your IP if you know how.
That being said, some systems attempt to calculate combinations of values that together can be used to define a semi-unique instance. Generally these come from hardware identifiers, like:
MAC address
Hard disc identifier
CPUID
These are then mashed together in a way that provides a unique key with some tolerance for change (like a hardware upgrade). There is also a generated identifier used in some systems called UUID which is created when a filesystem is built.
To access some of these you may need to use JNI. Some of these are contentious (CPUID) because they can be used to track people on the internet and thereby reduce their anonymity.
Frequently access to these are unavailable from certain applications (like web browsers). It may be easier to establish a login/password form of security.
There is no way to guarantee a computer hasn't changed. Your best alternative is to write a key file to the machine on first run that you can then use to check against. Whilst this could be deleted making it appear to be different as long as you have used a sensible hash algorithm to generate your key (i.e. you can be confident no one else could generate it) then you can be happy that you are guaranteed a correct match when the key matches. This method will give you confidence in positive identifications but leave you open to false negatives, which isn't normally an issue. You should look to use something like an SHA algorth based off some salted input that you can use as a reference.
Anything you can do in pure Java won't be very effective against a tech-savvy user who deliberately wants to 'break the system'.
But, nonetheless, low-tech things that you could do in pure Java:
just go ahead and store the MAC address; it's not totally reliable, but most users in practice won't change their MAC address;
allocate a random UUID and store it on the machine using the Preferences architecture; then, store that UUID, or a secure hash of it, in the program's local directory.
Either of these systems is easy to get round by a savvy user. But at the end of the day, a savvy user could doctor your class files to bypass whatever measure you put in place.
The disadvantage of the MAC address is that there is a 'legitimate' case external to your program where the MAC address may change, since a user may change their network devices.
IP address might change quite often (e.g. assigned using DHCP)
I propose to use serial number of disk or motherboard for identification.
Example of how to get these serial number on WINDOWS can be found here:
http://www.rgagnon.com/javadetails/java-0580.html (includes source code, platform dependant)
You could use the Java registry to write a simple value into the system registry. This will work on Linux and Windows and is a very basic way to do this. Not secure and quite hackable, but at least it's portable.
You can refer to read/write to Windows Registry using Java for some great examples.
Is it possible to know from Java where the computer where it's running is? If not, how can I do it using JNI? Or any scripts?
I'm building a Java system, and on login, I'm supposed to register on the database who's logging in, where and when. I just don't know how to get the where.
Unless you can get the client to send in some sort of coordinates (like GPS), you could use some IP-based solution, such as MaxMind GeoIP. They have a lite versions of the city and country locating databases, which are free but less accurate. There are APIs available for most common languages.
You could use the ip-address to locate the country where the computer is running. There are several ip address databases available - just look them up in a search machine.