Android Question Question for discussion - jRDC2

A

alfaiz678

Active Member
Licensed User
Question for discussion
I suppose I have a jRDC2 server.
And I linked it to my Android app.
Then I posted it on Google Play.

Let it be such an example.
https://www.b4x.com/android/forum/threads/b4xpages-jrdc2-mysql-crud-login.127241/#content


Someone unpacked my app and showed the entire code with reverse engineering.
And he used the deletion event and sent it to my server.

What's going to happen to my data?
Can this happen or not?

I've benefited a lot from this discussion.
https://www.b4x.com/android/forum/threads/jrdc2-is-it-safe.127018/
 
Sort by date Sort by votes
teddybear

teddybear

Well-Known Member
Licensed User
alfaiz678 said:
Question for discussion
I suppose I have a jRDC2 server.
And I linked it to my Android app.
Then I posted it on Google Play.

Someone unpacked my app and showed the entire code with reverse engineering.
And he used the deletion event and sent it to my server.

What's going to happen to my data?
Can this happen or not?

I've benefited a lot from this discussion.
https://www.b4x.com/android/forum/threads/jrdc2-is-it-safe.127018/
Click to expand...
Erel has replied to your question in the post
 
Upvote 0
A

alfaiz678

Active Member
Licensed User
All right
But what is the possible way in which I can try to make the way for reverse programming hacker?
Any suggestions
If it happens, I expect it as in the question.
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
I suppose you only allow a user to access or delete his/her own data. When he/she logins with his/her user id and password, he/she get an access token or rights to access only his/her data and not other’s data. The SQL commands in jRDC2 should have this restriction.
 
Upvote 0
A

alfaiz678

Active Member
Licensed User
aeric said:
I suppose you only allow a user to access or delete his/her own data. When he/she logins with his/her user id and password, he/she get an access token or rights to access only his/her data and not other’s data. The SQL commands in jRDC2 should have this restriction.
Click to expand...
On this now, there are not many differences in safety between JRDC2
And among PHP
The whole thing is due to the programmer and his experience in securing his servant's data
Are there your commandments in this?
I mean to secure contact via Php
Especially since you have a lot about this
Thanks
 
Upvote 0
A

alfaiz678

Active Member
Licensed User
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:

Http Login example using HttpUtils2

Http Login example using HttpUtils2 Introduction: Hi members, this is my first code sharing in this forum. This example is using HttpUtils2 library included in B4A v4.0. Hope this Code Snippet would help those who need a simple example on how to get started with log in to a website using user...
www.b4x.com www.b4x.com
Click to expand...
This is very old example.
Here is a newer one using API Key.

User Login + MySQL PHP API

Web API Updates: For B4J API Server and cross platform client apps, please check [B4X] User Login App + [B4J] MySQL API Server (Key + Token) https://www.b4x.com/android/forum/threads/b4x-user-login-app-b4j-mysql-api-server-key-token.126081/ Android App This is the 3rd version of...
www.b4x.com www.b4x.com

If you want to use Access Token, the concept is similar. Once you understand this example, you can modify to use Access Token. You can refer to my B4J example.
 
Upvote 0
teddybear

teddybear

Well-Known Member
Licensed User
Upvote 0
DonManfred

DonManfred

Expert
Licensed User
Longtime User
teddybear said:
It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2
Click to expand...
It depends on the security you add to it
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
teddybear said:
It is secure to your App accesses a dbserver through webAPI, instead of jdbc or jdrc2
Click to expand...
jRDC2 is very secured too. The jRDC2 example is for demonstration only. We need to implement our own security. Use better SQL commands and you are good to go.


B4X: 
sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? 'bad

sql.delete_notes_by_id=DELETE FROM notes WHERE id = ? AND user_id = ? AND user_id IN (SELECT user_id FROM user WHERE user_token = ?) ' good
 
Upvote 0
teddybear

teddybear

Well-Known Member
Licensed User
For a released app, connecting to the database through JDBC directly,there is a risk to be cracked by reverse engineering. once it is cracked,hacker can exceute high-risk sql such as delete /drop etc, API can reduce this risk a lot
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
teddybear said:
For a released app, connecting to the database through JDBC directly,there is a risk to be cracked by reverse engineering. once it is cracked,hacker can exceute high-risk sql such as delete /drop etc, API can reduce this risk a lot
Click to expand...
Yes, I also don’t recommend JDBC direct connection. Use a server to manage the client app.
 
Upvote 0
A

alfaiz678

Active Member
Licensed User
All right
Thank you, we've benefited a lot.

If the developer saves by encrypting the orders in the app by B4XCipher
It does not include code encrypt password in the app
It only gives it to the user.
Can the hacker access these encrypted orders?

I mean the orders that the app gives php pages on the server
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
What you want to achieve or protect?
Encryption may protect man in the middle attack. Password is not (or should not) attached to the data when you send/receive data. If the hacker gain the encrypted data meaning he/she first need to figure out how to decrypt the data. Security does not mean you make it 100% impossible for hacker to break it but you make it more difficult for them. It’s like you add more complex locks at your house. You also need to find ways to hide your keys. In B4X, you can use obfuscation.
 
Upvote 0
A

alfaiz678

Active Member
Licensed User
I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?
 
Upvote 0
aeric

aeric

Expert
Licensed User
Longtime User
alfaiz678 said:
I mean, it's with b4XCipher.
Then export the application in the form of obfuscation.
We might have done some protection that might be okay.
Do you think so?
Click to expand...
If a hacker get the encryption key, he/she can write a B4A app to decrypt the message using B4XCipher. I am not a security expert to advise. You need to understand, a hardcore hacker can do a lot of things to bypass whatever you do. If the data of your app is so crucial, it is better for you to engage a security expert. Otherwise, much concern is unnecessary. For me, I wont keep or transfer sensitive data so nothing I need to concern about. I am not sure what kind of sensitive data in a product order. Payment gateway will handle the security such as 2FA and OTP. I will just follow the guideline from the payment gateway provider if my app involve monetary features.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

aeric
  • Article
B4J Code Snippet [Project Template] [B4X] jRDC2 Client (B4J, B4A, B4i)
Replies
0
Views
2K
aeric
aeric
Sergio Castellari
  • Solved
Android Question [Solved What do I need to modify on the client side for jRDC2 Multi to work?
Replies
4
Views
1K
Sergio Castellari
Sergio Castellari
Bladimir Silva Toro
  • Article
Android Tutorial Tutorial of connecting Android to MS SQL Server using jRDC2
2
Replies
30
Views
14K
josejad
josejad
O
  • Question
Android Question jRDC2 query problem
Replies
17
Views
5K
oscarsarrio
O
Erel
  • Locked
  • Article
B4J Library [B4X] jRDC2 - B4J implementation of RDC (Remote Database Connector)
5 6 7
Replies
138
Views
134K
Erel
Erel
Top