Someone is hacking my app! I think they are manipulating the REST API to hack my app. They essentially have full control over it and are creating and deleting accounts and posting things in labels etc.
Someone is hacking my app! I think they are manipulating the REST API to hack my app. They essentially have full control over it and are creating and deleting accounts and posting things in labels etc.
Hello Russ,
Have you shared your app with someone?
This should not be possible if you have not granted access to app.
Alena,
I have published the app to the Google Play store and I have also published it as a web app via appery's web publish feature.
Hello Russ,
Could you please clarify, have you limited access to your database somehow?
http://devcenter.appery.io/documentat...
http://devcenter.appery.io/documentat...
And perhaps to some codes/passwords if they are in the code
http://devcenter.appery.io/documentat...
If you didn't take care about security, then looking at the source code of the website, someone can see the Database-Id and using it he can make any requests to the database
What would be the best way to try and secure my database? I have looked at the "Secure Collections" but if a user creates an account then they would have a "session key" and would have access to the database anyways correct? I also looked at the secure REST but from the documentation page I could not figure out how to implement the secure REST.
Hi Russ --
You can control all users login process on the server side, but this will need your own custom implementation.
Could you please describe what exactly is not clear in secure REST documentation?
I just cant deduce how the secure rest works from the documentation. I cant figure out how to implement it.
Essentially I need to be able to hide my database ID from the users so that they cant make random queries.
Do you know of an example or tutorial about how to do this or about how to implement the server side code like you suggested?
Thank you for you time and help!
Hi Russ,
Unfortunatly secure rest could not be used with URL parameters like DB id in REST queries..
If this information DBID is critical for you, it's available to implement server code that will translate your request to known only in this server code dbid..
See details here: http://devcenter.appery.io/documentat...
Secure REST useful when you need to invoke REST API with some common secure information like API keys.
For example: you need call google maps geocoding. And this API require some KEY that is common for all your users and not device-specific.
You don't want store this KEY in app (cause of it could be grabbed from app by disassembling).
In this case you should use Appery.io secure REST.
In app you can use "{parameterName}". This request sends to the Appery.io proxy when secure system will replace this "{parameterName}" by value stored in your database.
Thus no one could not get this KEY from your app event when will disassemble it.
Also please try to pass this tutorial http://devcenter.appery.io/documentat... to understand how this mechanism work.
Regards.
Yurii,
I think I understand what you are saying. For example I should use secure REST when I am using 3rd party API's. Also when I want to mask my appery database id I should use server code to do this?
The issue I am having is someone disassembled my .apk and was able to find my appery database id and they were able to make queries and change all the data in my database. I would like to prevent this from happening again and if I am understanding you correctly you are saying I need to do this with server code?
Hi Russ,
Yes if you want to hide "db id" you can use server code for this purpose.
But you should know that hacker can use your server code "proxy" to access these collections. So you should implement some ACL yourself.
Also i guess "secure collections" could be useful for you. Details: http://devcenter.appery.io/documentat...
"Secure collections" allow to access only with session token.
Also you can restrict access with ACL field. See details here: http://devcenter.appery.io/documentat...
Regards.