Android Question httpserver + html5 - security issue?

Eme Fibonacci

Well-Known Member
Licensed User
Longtime User
I have a game made in html5. The html game does not work offline. Then I made the following solution:
My app has a httpserver as server and a webview that works as player.
This works but I have a curious situation: If the device is on an intranet and another device get IP of first device with the game it will access the server and run the game too.
Of course it made me think about security issues.
If there is an httpserver running for game server can this make the device vulnerable?

Thank you.
 

DonManfred

Expert
Licensed User
Longtime User
Check if the request is coming from an trusted app. If not then block the request.
I don´t know how to check from where the request is coming. never used a httpserver in my app
 
Last edited:
Upvote 0

Eme Fibonacci

Well-Known Member
Licensed User
Longtime User
You can check the client ip address with Servlet.RemoteAddress. It should be 127.0.0.1 for the local requests.
If I try to stop the service an error is generated.
So I can do this:
B4X:
Sub Server_HandleRequest (Request As ServletRequest, Response As ServletResponse)
    Log(Request.RemoteAddress)
    If Request.RemoteAddress<>"127.0.0.1" Then
        ExitApplication
    End If
End sub

In any case, are there security issues involved with my app? leaving an active server to run an html5 game makes the device vulnerable?
 
Upvote 0

Eme Fibonacci

Well-Known Member
Licensed User
Longtime User
You can call Server.Stop to stop the service.


It depends on your server code. The client can only send requests to the server.

There is no especial code on the server. Only the code available in this tutorial:
https://www.b4x.com/android/forum/threads/25984/#content

My game is totally made in html5 but it does not work offline. So I'm embedding a mini server.
I am think about if somehow an attacker could use the server to hack into the device and gain access to other folders and functions of other applications.
What do you think?
Thank you.
 
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
I am think about if somehow an attacker could use the server to hack into the device and gain access to other folders and functions of other applications.
What do you think?
Remove the external storage permission and set TempFolder to File.DirInternal. Your app will not be able to access any external files.
 
Upvote 0
Top