Android Question Question for discussion - jRDC2

AlfaizDev · Jul 1, 2022

Question for discussion
I suppose I have a jRDC2 server.
And I linked it to my Android app.
Then I posted it on Google Play.

Let it be such an example.
https://www.b4x.com/android/forum/threads/b4xpages-jrdc2-mysql-crud-login.127241/#content

Someone unpacked my app and showed the entire code with reverse engineering.
And he used the deletion event and sent it to my server.

What's going to happen to my data?
Can this happen or not?

I've benefited a lot from this discussion.
https://www.b4x.com/android/forum/threads/jrdc2-is-it-safe.127018/

teddybear · Jul 1, 2022

alfaiz678 said:
Question for discussion
I suppose I have a jRDC2 server.
And I linked it to my Android app.
Then I posted it on Google Play.

Someone unpacked my app and showed the entire code with reverse engineering.
And he used the deletion event and sent it to my server.

What's going to happen to my data?
Can this happen or not?

I've benefited a lot from this discussion.
https://www.b4x.com/android/forum/threads/jrdc2-is-it-safe.127018/

Erel has replied to your question in the post

AlfaizDev · Jul 4, 2022

All right
But what is the possible way in which I can try to make the way for reverse programming hacker?
Any suggestions
If it happens, I expect it as in the question.

aeric · Jul 4, 2022

I suppose you only allow a user to access or delete his/her own data. When he/she logins with his/her user id and password, he/she get an access token or rights to access only his/her data and not other’s data. The SQL commands in jRDC2 should have this restriction.

AlfaizDev · Jul 5, 2022

aeric said:
I suppose you only allow a user to access or delete his/her own data. When he/she logins with his/her user id and password, he/she get an access token or rights to access only his/her data and not other’s data. The SQL commands in jRDC2 should have this restriction.

On this now, there are not many differences in safety between JRDC2
And among PHP
The whole thing is due to the programmer and his experience in securing his servant's data
Are there your commandments in this?
I mean to secure contact via Php
Especially since you have a lot about this
Thanks

aeric · Jul 5, 2022

I have shared example using PHP with user token but I have no example for jRDC2. I create my own REST API server for B4J and the security part I didn’t share out.

AlfaizDev · Jul 5, 2022

aeric said:
I have shared example using PHP with user token but I have no example for jRDC2. I create my own REST API server for B4J and the security part I didn’t share out.

I want about PHP
and not jRDC2
I saw your example and I'm using it
But we want some recommendations about security when connecting to a mysql database by php
Thanks

https://www.b4x.com/android/forum/threads/http-login-example-using-httputils2.50038/#post-312403

aeric · Jul 5, 2022

alfaiz678 said:
Http Login example using HttpUtils2

Http Login example using HttpUtils2 Introduction: Hi members, this is my first code sharing in this forum. This example is using HttpUtils2 library included in B4A v4.0. Hope this Code Snippet would help those who need a simple example on how to get started with log in to a website using user...

www.b4x.com

This is very old example.
Here is a newer one using API Key.

(PHP/MySQL/API) User Login App

Web API Updates: Latest B4XPages user login client apps (using B4J server): https://www.b4x.com/android/forum/threads/project-template-user-login-client-b4x.161914/ Older project: https://www.b4x.com/android/forum/threads/b4j-mysql-api-server-key-token-and-b4x-user-login-apps.126081/...

www.b4x.com

If you want to use Access Token, the concept is similar. Once you understand this example, you can modify to use Access Token. You can refer to my B4J example.

teddybear · Jul 5, 2022

alfaiz678 said:
I want about PHP
and not jRDC2
I saw your example and I'm using it
But we want some recommendations about security when connecting to a mysql database by php
Thanks

https://www.b4x.com/android/forum/threads/http-login-example-using-httputils2.50038/#post-312403

It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2

DonManfred · Jul 5, 2022

teddybear said:
It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2

It depends on the security you add to it

aeric · Jul 5, 2022

teddybear said:
It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2

jRDC2 is very secured too. The jRDC2 example is for demonstration only. We need to implement our own security. Use better SQL commands and you are good to go.

B4X:

sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? 'bad

sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? AND user_id = ? AND user_id IN (SELECT user_id FROM user WHERE user_token = ?) ' good

teddybear · Jul 5, 2022

For a released app, connecting to the database through JDBC directly，there is a risk to be cracked by reverse engineering. once it is cracked，hacker can exceute high-risk sql such as delete /drop etc， API can reduce this risk a lot

aeric · Jul 5, 2022

teddybear said:
For a released app, connecting to the database through JDBC directly，there is a risk to be cracked by reverse engineering. once it is cracked，hacker can exceute high-risk sql such as delete /drop etc， API can reduce this risk a lot

Yes, I also don’t recommend JDBC direct connection. Use a server to manage the client app.

AlfaizDev · Jul 5, 2022

All right
Thank you, we've benefited a lot.

If the developer saves by encrypting the orders in the app by B4XCipher
It does not include code encrypt password in the app
It only gives it to the user.
Can the hacker access these encrypted orders?

I mean the orders that the app gives php pages on the server

aeric · Jul 5, 2022

What you want to achieve or protect?
Encryption may protect man in the middle attack. Password is not (or should not) attached to the data when you send/receive data. If the hacker gain the encrypted data meaning he/she first need to figure out how to decrypt the data. Security does not mean you make it 100% impossible for hacker to break it but you make it more difficult for them. It’s like you add more complex locks at your house. You also need to find ways to hide your keys. In B4X, you can use obfuscation.

AlfaizDev · Jul 5, 2022

I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?

aeric · Jul 5, 2022

alfaiz678 said:
I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?

If a hacker get the encryption key, he/she can write a B4A app to decrypt the message using B4XCipher. I am not a security expert to advise. You need to understand, a hardcore hacker can do a lot of things to bypass whatever you do. If the data of your app is so crucial, it is better for you to engage a security expert. Otherwise, much concern is unnecessary. For me, I wont keep or transfer sensitive data so nothing I need to concern about. I am not sure what kind of sensitive data in a product order. Payment gateway will handle the security such as 2FA and OTP. I will just follow the guideline from the payment gateway provider if my app involve monetary features.

Android Question Question for discussion - jRDC2

AlfaizDev

Well-Known Member

teddybear

Well-Known Member

AlfaizDev

Well-Known Member

aeric

Expert

AlfaizDev

Well-Known Member

aeric

Expert

AlfaizDev

Well-Known Member

aeric

Expert

Http Login example using HttpUtils2

(PHP/MySQL/API) User Login App

teddybear

Well-Known Member

DonManfred

Expert

aeric

Expert

teddybear

Well-Known Member

aeric

Expert

AlfaizDev

Well-Known Member

aeric

Expert

AlfaizDev

Well-Known Member

aeric

Expert

Similar Threads