Rectangle 27 1

Assuming you are simply storing this data in a SQLite DB and doing nothing else with it, really the only thing you have to sanitize the data for would be SQL injection attacks; here's a quick example that Google brings up.

Thanks - I did a bit of googling from that and found this article: bit.ly/fqmvEC - as long as you use the tx.executeSql('INSERT INTO table (id) values (?)', [id]); form, that provides some protection.

JQuery mobile app - form security issues - Stack Overflow

jquery security cordova jquery-mobile
Rectangle 27 5

Risking a Realistic Answer

I'd like to provide an answer that helps the developer understand the public relations aspect of product design, taking the risk of criticism. Frankly, one cannot write great apps in a computer science vacuum. Satisfying user needs and balancing them with security is one of the primary issues in software interface and behavioral design today, especially in the mobile space.

From this perspective, your question, "Is there any way to detect if a user uses a fake location in this case?" may not be the most pertinent question you face. I'm not being evasive by asking this other question that may help you more and it is something I can answer well: "Is there any way to securely get the data from the user's device's geocoordinate firmware such that it cannot be spoofed?"

It is not part of the Android client-server contract or that of its competitors to guarantee user device location information.

There is actually a market force that will probably push against such a guarantee indefinitely. Many device owners (and your users) want control over whether people know their true location for privacy and home and family security reasons.

The next question you can ask yourself as a designer of your software is, "How can the app or library work and provide for the needs I seek to fill with a certain percentage of the user community using today's (or tomorrow's) location spoofing software?"

If you are writing business intelligence software or there is some other statistical aspect to your system, then you need the software equivalent of error bars. If you display the stats, then the error bars would be an appropriate graphing feature. Estimating the percentage of location spoofers out of a population of users would require further study.

android - Detect or prevent if user uses fake location - Stack Overflo...

android gps location google-api-client
Rectangle 27 4

Risking a Realistic Answer

I'd like to provide an answer that helps the developer understand the public relations aspect of product design, taking the risk of criticism. Frankly, one cannot write great apps in a computer science vacuum. Satisfying user needs and balancing them with security is one of the primary issues in software interface and behavioral design today, especially in the mobile space.

From this perspective, your question, "Is there any way to detect if a user uses a fake location in this case?" may not be the most pertinent question you face. I'm not being evasive by asking this other question that may help you more and it is something I can answer well: "Is there any way to securely get the data from the user's device's geocoordinate firmware such that it cannot be spoofed?"

It is not part of the Android client-server contract or that of its competitors to guarantee user device location information.

There is actually a market force that will probably push against such a guarantee indefinitely. Many device owners (and your users) want control over whether people know their true location for privacy and home and family security reasons.

The next question you can ask yourself as a designer of your software is, "How can the app or library work and provide for the needs I seek to fill with a certain percentage of the user community using today's (or tomorrow's) location spoofing software?"

If you are writing business intelligence software or there is some other statistical aspect to your system, then you need the software equivalent of error bars. If you display the stats, then the error bars would be an appropriate graphing feature. Estimating the percentage of location spoofers out of a population of users would require further study.

android - Detect or prevent if user uses fake location - Stack Overflo...

android gps location google-api-client
Rectangle 27 0

Assuming you are simply storing this data in a SQLite DB and doing nothing else with it, really the only thing you have to sanitize the data for would be SQL injection attacks; here's a quick example that Google brings up.

Thanks - I did a bit of googling from that and found this article: bit.ly/fqmvEC - as long as you use the tx.executeSql('INSERT INTO table (id) values (?)', [id]); form, that provides some protection.

JQuery mobile app - form security issues - Stack Overflow

jquery security cordova jquery-mobile
Rectangle 27 0

I doubt that you can do this on any (protected) platform,... I don't think any mobile OS would allow this, because of the security and privacy issues, imagine you visit a website and all of a sudden without your permission your bluetooth is on and discoverable.

javascript - automatically enable bluetooth discoverability, when app ...

javascript ios bluetooth cross-platform discoverability
Rectangle 27 0

If anything, Angular 2.0 is more mobile-aware than 1.3. My team has built a mobile-only application with Angular 1.3 and it works quite well. We've also wrapped it in Cordova to build native mobile apps, although there were more issues there due to third-party JavaScript. The main problem with starting a new app with Angular 1.3 today is that eventually Google will only push security fixes, and no new features will come to the framework. If you build a one-off app, that's fine, but if you're building a new product that will keep on evolving over the next 2 years, 1.3 is not the right choice anymore.

The main challenge I would say we have is that it takes a while to load upon the first page-load. We're a content site with little user "functionality" and while Angular has been good, I don't think it's the best solution for a plain content site; Angular is really meant for applications where you want users to interact with things on the screen without creating new pageloads for every click.

angularjs - Is Mobile Angular UI a framework I can use for a mobile ht...

angularjs html5 angular-ui
Rectangle 27 0

I would recommend you to have a look at the following project:

What are the common security issues that has to be addressed for Andro...

android security android-permissions
Rectangle 27 0

Phonegap runs your code in its own environment which doesn't have any tools to modify or break your JavaScript code. And although I feen weird saying that - you can sanitize your inputs with javascript as long as it's in the same function that sends them (so that no error of program flow design can cause it to be skipped)

JQuery mobile app - form security issues - Stack Overflow

jquery security cordova jquery-mobile
Rectangle 27 0

Sounds like you're aiming to build a Public API. This should be standalone and handle security by itself - the MVC website is just another client (that might happen to live in the same solution), but ideally you shouldn't have too many references between them (basically just the API contract). This way you'd also be able to catch broken backwards compatibility issues earlier, instead of the MVC site always working in a strongly typed manner (even through refactorings), while the other (especially mobile clients) wouldn't - you'll have to resort to versioning the API.

Performance really shouldn't be an issue if you take certain measures on the server side (e.g. caching), there's tons of APIs that work in this fashion.

c# - How to implement the same authentication mechanism for both the a...

c# mobile asp.net-web-api authorization restful-architecture
Rectangle 27 0

This functionality is not supported in most browsers because of security issues without allowing a web page to have access to your clipboard. This is not only Mobile Safari. You won't find it supported in most browsers (like Chrome or Firefox).

Some people use a Flash work-around called zClip/ZeroClipboard that does allow copying to the clipboard, but only from a direct user click on the Flash object. This is obviously not an option in mobile safari.

If you are only trying to move data around within your page, then you don't have to use the system clipboard to do that - you can create your own holding area for the data (a javascript variable) and put the data there upon Copy and retrieve it from there upon Paste. Then, you use normal DOM functions (not copy/paste functions) to get the data from a field or to put the data into a field.

execCommand("Paste");

@Altaveron - I don't think you can do it from javascript on mobile Safari. You can put the text into a field, pre-select it and ask the user to use the normal end-user convention for copying it to the clipboard. That's life in a web application these days.

javascript - Copy&Paste doesn't work on Mobile Safari and CodeMirror -...

javascript clipboard codemirror
Rectangle 27 0

You need to have your mobile app authenticate into your API. There is a few ways you could go about it, using Basic authorization, OAuth 1.0a, or even OAuth 2 (client-credentials flow). This will allow you to have your mobile app to have the credentials to your REST service, but no one else. Using HTTPS will combat man-in-the-middle attacks but does come with some overhead. Comparing HTTP vs HTTPS, HTTP will always be faster but I highly recommend HTTPS.

I think you can find a lot of good pointers in this post:

php - Security issues with mobile app - Stack Overflow

php android json security ssl
Rectangle 27 0

Allright, first take a deep breath. You are probably not going to like some of my answers but you'll be living with the same issues that we all are.

My advice to you is not to worry about it. Put your time into creating a truly great app. The people who will pay for it will pay for it. The folks who decompile it would never buy the app no matter what. The more time you take trying to combat the hackers takes away from the time you could use to make your app greater. Also, most anti-hacking measures just make life harder for your actual users so in fact they are counter productive.

i have a few questions for you- nowadays a lot of public REST APIs use OAuth, or Amazon's model (for AWS)- wont these be sufficient for mobile apps? (With ref to your answer, I think both OAuth and Amazon's model do use HTTPS...) Also, HTTPS wont be possible with local apps since some functionality of Phonegap requires local web page only?... Thanks

OAuth works good with PhoneGap apps. Well if all the pages are local then there is no communication with the outside work and thereby nothing for hackers to sniff.

Mr. MacDonald's reply, while well-intentioned, does not account for the developers who are concerned about app uncompression for this reason instead: Other developers may read the code, pirate it, and use it to develop a competing app. That's a serious and legitimate concern, and needs to be taken into consideration when pondering the use of PhoneGap.

Oh, you did not just "Mr. MacDonald" me? Just kidding. Sure that is a legitimate concern but it is not limited to only PhoneGap or hybrid apps. I can take a native Android or iOS app and decompile it and read your code just as easily as I can with hybrid apps. So I don't think that is a good reason to exclude PhoneGap when you are determining what technologies to use when building mobile apps.

cordova - Security considerations when creating a mobile app using Pho...

security cordova
Rectangle 27 0

Mobile Computing - Conclusion

Today's computing has rapidly grown from being confined to a single location. With mobile computing, people can work from the comfort of any location they wish to as long as the connection and the security concerns are properly factored. In the same light, the presence of high speed connections has also promoted the use of mobile computing.

Being an ever growing and emerging technology, mobile computing will continue to be a core service in computing and Information Communication and Technology.

Rectangle 27 0

I have some experience working with Yandex (No. 1 Russian search engine) OAuth servers. This is how they do it..

OAurh server accessed only by HTTPS. Thus, token is transferred by the network in encrypted manner. As it is HTTPS - client can check servers validity via certificates checking.

Also, they recommend to store received access token in encrypted way. As for me, i have my own storage implementation, which stores access token in 3DES-encrypted way in SharedPreferences. Key to 3DES encryption is a users selected "PIN-code". Each time application starts it is requesting a PIN and then trying to decrypt token.

Olegas, are you validating the PIN and then decrypting the access token on the Android phone or passing the encrypted access token and PIN to the server for decrypting and validation? Thanks.

I'm trying to decrypt token on client side, if it is successful, i'm transmitting token to server with my request via HTTPS

OAuth security issues on an Android mobile phone? - Stack Overflow

android security mobile oauth token
Rectangle 27 0

If you use a secure connection (HTTPS) sending username/password won't be an issue. Other things to think of are, session timeout and session caching on the mobile devices, and the security steps needed for that, intermittent network connectivity issues etc.

See my answer about sending username & password as POST, not as GET - I learned that though bitter experience :)

I understand, I hadn't meant to imply using GET method. However I didn't know about the server logs aspect. One more thing learnt today. Thanks.

How to create REST authentication for iOS and Android mobile apps - St...

android ios authentication rest mobile
Rectangle 27 0

Actually, Android has several things you need to be aware of in addition to the two mentioned by sandrstar

What are the common security issues that has to be addressed for Andro...

android security android-permissions
Rectangle 27 0

Mobile Computing - Security Issues

Mobile computing has its fair share of security concerns as any other technology. Due to their nomadic nature, it's not easy to monitor the proper usage. User might have different intentions on how to utilize this privilege. Improper and unethical practices such as hacking, industrial espionage, pirating, online fraud and malicious destruction are some but few of the problems experienced by mobile computing.

Another big problem plaguing mobile computing is credential verification. It's not possible to that the person using that person is the true barrier. Other users share username and passwords. This is also a major threat to security. This being a very sensitive issue, most companies are very reluctant to implement mobile computing to the dangers of misrepresentation.

The problem of identity theft is very difficult to contain or eradicate. Issues with unauthorized access to data and information by hackers, is also a plaguing problem. They gain access to steal vital data from companies. This problem has been a major headache and hindrance in rolling out mobile computing services.

No company wants to lay open their secrets to hacker and other intruders, who will in terms sell them to their competitors. It's also important to take the necessary precautions to minimize these threats from taking place. Some of those measures include

These are just but a few ways to help deter possible threats to any company planning to offer mobile computing. Since information is vital, all possible measures should be evaluated and implemented for safeguard purposes.

In the absence of such measures, it's possible for exploits and other unknown threats to infiltrate and cause irrefutable harm that would cost a huge of damage. These maybe in terms of reputation or financial penalties. In such cases, it's very easy to be misused in different unethical practices.

The other issue would be online security. If this factor isn't properly worked on, it might be an avenue for constant threat. Theft and Espionage can be also another fact limiting its full utilization. Various threats to security still exist in implementing this kind of technology.

Rectangle 27 0

Contrary to the premise of the question: One of the first mainstream mobile devices was the Newton, which was designed to use a specialized dynamic language called NewtonScript for application development. The Newton development environment and language made it especially easy for applications to work together and share information - almost the polar opposite of the current iPhone experience. Although many developers writing new Newton applications from scratch liked it a lot - NewtonScript "feels" a lot like Ruby - the Newton had some performance issues and porting of existing code was not easy, even after Apple later added the ability to incorporate C code into a NewtonScript program. Also, it was very hard to protect one's intellectual property on the Newton - other developers could in most cases look inside your code and even override bits of it at a whim - a security nightmare.

The Newton was a commercial failure.

Palm took a few of Apple's best ideas - and improved upon them - but tossed dynamic language support as part of an overall simplification that eventually led to PalmOS gaining a majority of the mobile market share (for many years) as independent mobile software developers flocked to the new platform.

There were many reasons why the Newton was a failure, but some probably blame NewtonScript. Apple is "thinking different" with the iPhone, and one of the early decisions they seem to have made is to leverage as much as possible off their existing core developer base and make it easy for people to develop in Objective C. If iPhone gets official support for dynamic languages, that will be a later addition after long and careful consideration about how best to do it while still providing a secure and high-performance platform.

NewtonScript required a lot of resources (CPU and memory) for a handheld device at the time; the performance was perfectly acceptable, though. At the end, the MessagePad 2100 was nearly $1000, a >100MHz StrongARM with 4MB RAM whereas a Palm Pilot was much cheaper, ran in <1MB RAM with a slow 68K-derivative processor. Of the mainstream languages today, NewtonScript is most related to JavaScript - they're both prototype-based. The Danger/Android platforms are probably the closest to this ideal today, as both of their Java VMs perform a preprocessing step on the host and are relatively simple.

Actually, NewtonScript was the second language for Apples Newton project: The first was even more dynamic, Dylan [probably a pun on Dynamic Language], implemented in Macintosh Common Lisp. That project was killed, replaced by something with less unacceptable performance. (I love the Newton as a programmer, but even I have to admit that for the user, it was too slow.) Time will tell whether Apples competitors are now repeating Apples mistake.

One of the features of NewtonScript, differential inheritance, allowed this very dynamic, object-oriented programming language (which could also be compiled into byte code) to function with very low memory requirements, considering. It meant that child/related objects need only needed to store data that was different than parent/related objects. Of course, the searching to implement this lead to some of the performance issues. io, a NewtonScript cousin, also implements differential inheritance.

Python/Ruby as mobile OS - Stack Overflow

python ruby mobile operating-system dynamic-languages
Rectangle 27 0

from your answer i am getting that for security issues only we create native , but what is the risk if we are doing transactions using mobile version of the website ?

Need of creating dedicated Android and IPhone Applications - Stack Ove...

android iphone web-applications
Rectangle 27 0

All of production of IP's security seems produces a giant bug to users before getting connected. Symbian 60s has the fullest capability to left an untraced, reliable and secure signal in the midst of multiple users(applying Opera Handler UI 6.5, Opera Mini v8 and 10) along with the coded UI's, +completely filled network set-up. Why restrict for other features when discoverable method of making faster link method is finally obtained. Keeping a more identified accounts, proper monitoring of that 'true account'-if they are on the track-compliance of paying bills and knowing if the users has an unexpired maintaining balance will create a more faster link of internet signal to popular/signatured mobile industry. Why making hard security features before getting them to the site, a visit to their accounts monthly may erase all of connectivity issues? All of the user of mobile should have no capability to 'get connected' if they have unpaid bills. Why not provide an 'ALL in One' -Registration/Application account, a programmed fixed with OS, (perhaps an e-mail account) instead with a 'monitoring capability' if they are paying or not (password issues concern-should be given to other department). And if 'not' turn-off their account exactly and their other link features. Each of them has their own interests to where to get hooked daily, if you'd locked/turn them off due to unpaid bills that may initiate them to re-subscribe and discipline them more to become a more responsible users and that may even expire an account if not maintained. Monthly monitoring or accessing of an identified 'true account' with collaboration to the network provider produces higher privacy instead of always asking for users 'name' and 'password', 'location', 'permissions' to view their data services. IP's marked already their first identity or 'finding the location of the users' so, it's seems unnessary to place it on browsers pre-searches, why not use 'Obtaining data' or 'Processing data.'

json - Simple, secure API authentication system - Stack Overflow

json api rest key