Android Question Question for discussion - jRDC2

A

AlfaizDev

Well-Known Member
Licensed User
Question for discussion
I suppose I have a jRDC2 server.
And I linked it to my Android app.
Then I posted it on Google Play.

Let it be such an example.
https://www.b4x.com/android/forum/threads/b4xpages-jrdc2-mysql-crud-login.127241/#content


Someone unpacked my app and showed the entire code with reverse engineering.
And he used the deletion event and sent it to my server.

What's going to happen to my data?
Can this happen or not?

I've benefited a lot from this discussion.
https://www.b4x.com/android/forum/threads/jrdc2-is-it-safe.127018/
 
Sort by date Sort by votes

teddybear

Well-Known Member
Licensed User
Erel has replied to your question in the post
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
All right
But what is the possible way in which I can try to make the way for reverse programming hacker?
Any suggestions
If it happens, I expect it as in the question.
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
I suppose you only allow a user to access or delete his/her own data. When he/she logins with his/her user id and password, he/she get an access token or rights to access only his/her data and not other’s data. The SQL commands in jRDC2 should have this restriction.
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
On this now, there are not many differences in safety between JRDC2
And among PHP
The whole thing is due to the programmer and his experience in securing his servant's data
Are there your commandments in this?
I mean to secure contact via Php
Especially since you have a lot about this
Thanks
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
Upvote 0

aeric

Expert
Licensed User
Longtime User
This is very old example.
Here is a newer one using API Key.

(PHP/MySQL/API) User Login App

Web API Updates: Latest B4XPages user login client apps (using B4J server): https://www.b4x.com/android/forum/threads/project-template-user-login-client-b4x.161914/ Older project: https://www.b4x.com/android/forum/threads/b4j-mysql-api-server-key-token-and-b4x-user-login-apps.126081/...
www.b4x.com

If you want to use Access Token, the concept is similar. Once you understand this example, you can modify to use Access Token. You can refer to my B4J example.
 
Upvote 0

teddybear

Well-Known Member
Licensed User
Upvote 0

aeric

Expert
Licensed User
Longtime User
teddybear said:
It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2
Click to expand...
jRDC2 is very secured too. The jRDC2 example is for demonstration only. We need to implement our own security. Use better SQL commands and you are good to go.


B4X: 
sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? 'bad

sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? AND user_id = ? AND user_id IN (SELECT user_id FROM user WHERE user_token = ?) ' good
 
Upvote 0

teddybear

Well-Known Member
Licensed User
For a released app, connecting to the database through JDBC directly,there is a risk to be cracked by reverse engineering. once it is cracked,hacker can exceute high-risk sql such as delete /drop etc, API can reduce this risk a lot
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
teddybear said:
For a released app, connecting to the database through JDBC directly,there is a risk to be cracked by reverse engineering. once it is cracked,hacker can exceute high-risk sql such as delete /drop etc, API can reduce this risk a lot
Click to expand...
Yes, I also don’t recommend JDBC direct connection. Use a server to manage the client app.
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
All right
Thank you, we've benefited a lot.

If the developer saves by encrypting the orders in the app by B4XCipher
It does not include code encrypt password in the app
It only gives it to the user.
Can the hacker access these encrypted orders?

I mean the orders that the app gives php pages on the server
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
What you want to achieve or protect?
Encryption may protect man in the middle attack. Password is not (or should not) attached to the data when you send/receive data. If the hacker gain the encrypted data meaning he/she first need to figure out how to decrypt the data. Security does not mean you make it 100% impossible for hacker to break it but you make it more difficult for them. It’s like you add more complex locks at your house. You also need to find ways to hide your keys. In B4X, you can use obfuscation.
 
Upvote 0
A

AlfaizDev

Well-Known Member
Licensed User
I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?
 
Upvote 0

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?
Click to expand...
If a hacker get the encryption key, he/she can write a B4A app to decrypt the message using B4XCipher. I am not a security expert to advise. You need to understand, a hardcore hacker can do a lot of things to bypass whatever you do. If the data of your app is so crucial, it is better for you to engage a security expert. Otherwise, much concern is unnecessary. For me, I wont keep or transfer sensitive data so nothing I need to concern about. I am not sure what kind of sensitive data in a product order. Payment gateway will handle the security such as 2FA and OTP. I will just follow the guideline from the payment gateway provider if my app involve monetary features.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Article
B4J Code Snippet [Project Template] [B4X] jRDC2 Client (B4J, B4A, B4i)
Replies
1
Views
3K
PABLO2013
  • Solved
Android Question [Solved What do I need to modify on the client side for jRDC2 Multi to work?
Replies
4
Views
2K
Sergio Castellari
  • Article
Android Example [B4XPages] jRDC2 + MySql CRUD + Login
2 3
Replies
43
Views
12K
aeric
  • Article
Android Tutorial Tutorial of connecting Android to MS SQL Server using jRDC2
2
Replies
30
Views
16K
josejad
O
  • Question
Android Question jRDC2 query problem
Replies
17
Views
5K
oscarsarrio
O
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…