I'm using back4app as my back-end for my android application. My concern is that I don't see how I can stop hackers from spamming user creation in my database.
Since the client key and app ID is shipped with the app itself, anyone can use it and keep creating fake users.
Also if I disable user creation from application, there's no way for my actual users to sign up. I hope I was able to explain my situation properly.
How can I guard my application against this unintended usage?
Related
I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.
I have a Teams application (Tab). I am an ISV provider, and provide a multi-tenant application that is installed by customers via Teams App Store in their organizations.
How do I save settings for my application organization-wide for the customers? For example, CustomerA has installed the app and then CustomerB. I want some storage that would be unique for CustomerA and CustomerB and the app, and located in customer's environment. The settings I want to save are not per-user, but per-organization (tenant).
Somewhat similar to "App Data" folder you have in Windows Desktop for example.
Does such a storage exist? Does API for this storage exist?
A tab app is a simply a web application that you render inside of Teams. As a result, what the app does, and where and how it does it, is totally up to you. This includes any data storage you choose to have behind the scenes. For example, your tab could be built in PHP and use MySQL, or built in ASP.Net and use SQL Azure or CosmosDB. It's totally up to you, but you need to implement it yourself, as an ISV.
The important piece to differentiate clients, however, is being aware of the TenantId for each user, so you can look up which client's settings you need from the database. The most simple way to do this is simply the tid property on the Teams tab context. You can read more about that here. Unfortunately, because it's just accessed via Javascript, it's not entirely secure - for a more secure mechanism, you should be creating an Azure Application, and generating jwt tokens that you can authenticate against in your backend. It's a much more complex topic, but hopefully this answer at least gives the background you need. For more info on the security aspects (validating the token etc.), please see this question: How to restrict access to Azure Function to only allow requests from a custom Microsoft Teams App?.
I want to keep track (with persistency) of users interactions with a microservice application developed with spring boot, so that i could consult them if something happened even maybe a year later.. One solution i found was use event sourcing and the problem was gone.. but due to some constraints i cannot go with that solution (in this project) so i was wondering..
Question
How can I track all user interactions and persist them in a spring boot microservice application?
if all the interactions that you want to track are sent to the server, then you can persist them in the database when the request is received in the server. To know who is the user you must need a way to identify him, for example, by using a token if the user is authenticated.
However, although this can be a solution the usual way to do this is using google analytics https://analytics.google.com/analytics/web/provision/#/provision
or snowplow https://snowplowanalytics.com/
Any of them track the actions done by the user in the frontend of the application
I have a business LS web application which I update from time to time.
I do the update by simply using the deploy wizard and everything is working great.
My problem is handling all my users that opened my system in their IE and left it open through my deploy process.
Since they have the old web application is opened on their browsers, and I have deployed the new version to the server, I can see errors occuring in certain situations.
Is there a way to make sure all users with the application opened will be forced to refresh the web application page? Maybe remotely disconnect all currently connected users?
There is no built in way of doing this. You will need to write a custom solution. Someone in the MSDN Forums has written a class to do this for OOB apps.
You should be able to reuse the timer part of that class. I'm not sure if the UpdateAvailable method will work for Web-based applications or not. You'll have to experiment with that.
Alternatively, you can create a custom notification system. Insert a message to your users into a table in your database from the administrator account. Have a timer on the user account check the table every so often. If it finds a new message, display a notification to the user.
Then you can use either an HTTP Response Header or an ASP method to log the users out as described in this Microsoft Support article.
I'm building an Cocoa application that modifies a file on the user's operating system which requires admin permission. I have a proof of concept working which uses authopen but it doesn't deliver the UX experience I am hoping to achieve. Every time the file is modified it prompts the user to enter their password. Is there a way to have permissions granted to the application for the duration of its life?
Goal:
Application asks user for password once ever, going forth application does not prompt for password.
Next Best:
Application asks user for password once at application launch, going forth application does not prompt for password until application restart.
I'm aware of Authorization Services and the possibility of creating a Daemon which deals specifically with modifying privileged files, what I'm curious about is if either of my listed goals are even possible before diving too deep into another system.
Really appreciate any suggestions, critiques or helpful links.
Cheers,
Dustin
Yes, using Authorization Services is the way forward. You get an AuthorizationRef in your application via AuthorizationCopyRights() (which shows the UI if needed), and pass this to your helper (by packaging it up into an external form) which verifies that it actually got the necessary right before performing the privileged task. Authorization Services is able to register rights in the /etc/authorization database, so if you choose a custom right you can choose the default settings for who is allowed to acquire it, what timeout or other conditions exist and so on.
To deploy your privileged helper tool, you should use the Service Management framework, in particular SMJobBless() which verifies that the code signing identities on your client and helper match before deploying the helper as a launchd job. Then your helper can be initiated on demand by the main application.
Feel free to ask if you want clarification on any step in the answer, however I already wrote about both of these aspects of privilege separation in my book Professional Cocoa Application Security so feel free to buy a copy or two ;-).