My Nativescript app has some secret api tokens. I want to publish the app to the iOS app store. What do I need to do to keep the tokens secret when I publish the app?
I see a discussion here about storing secrets using webpack environmental variables. I am new to webpack, but it seems like this is the best way to do it.
Following that discussion, I am able put my tokens into the webpack bundle (instead of hardcoding it), like this:
$ tns run ios --bundle --env.uglify --env.aot --env.secret_token="yaySecret"
But does this keep "yaySecret" secret? I don't see this addressed anywhere in NS docs or online.
I assume this bundle command creates a bundle, and then this bundle becomes part of what Apple publishes. But then isn't Apple able to view "yaySecret"?
Uglify actually does the job here (--env.uglify).
--env.secret_token will be just a parameter that is passed to the compiler. It will replace the occurrence of the variable in source code with actual value based on your webpack define configuration.
You should have something similar to this in your webpack config
// Define useful constants like TNS_WEBPACK
new webpack.DefinePlugin({
"global.TNS_WEBPACK": "true",
"global.SECRET_TOKEN": JSON.stringify(env.secret_token),
"process": undefined,
}),
So all occurrence of global.SECRET_TOKEN in your actual source code will be replaced by actual token you passed in command line.
So far it had nothing to do with security, reverse engineering the APK may show the entire source code and token value. Using minimizers like Uglify is what makes your code hard to read.
There are many other minimizers / obfuscators in market, javascript-obfuscator is one free tool I have seen people using with NativeScript often. All of these tools have tons of options, if you want to encrypt your code properly, you might need to pay more attention to those options.
There are even paid tools like jscrambler. Using Obfuscators are not limited to NativeScript / JavaScript, even many native android apps use Java Obfuscator to prevent extraction of source code & sensitive information from the APK. So using an Obfuscator is very much common irrespective of platform you choose.
Additionally what you could do is, do not simply hard code your token. You may pass some encrypted value to env.secret_token, then write some complex function which can take this encrypted value and give you the actual token at run time. End of the day it's all about making your code harder to break.
Related
I am working on an iOS application that uses a pretty normal multi-environment deployment model. We have a QA, Prod, and "Dev" version of the app that all talk to their own corresponding backends. I am new to iOS development but am familiar with Node, Java, and a few other development environments.
The first thing I reached to for this problem was Environment Variables. I saw that XCode had a way to set environment variables in a Scheme and they could be read pretty easily. So I used 4 environment variables per environment to configure a few needed backend hosts. Everything seemed to be going fine until I realized that those environment variables seem to ONLY be available when running the app through XCode. Is that correct? Is there no way to configure environment variables that "bundle up" with an app? If so, the ability to configure environment variables at all seems like a footgun.
What I mean is, In a NodeJS or Java app, I can set a number of useful "necessary" configs like a backend hosts and use some approach to provide those values when running the app for real. It seems like in iOS / Swift, environment variables are only useful for development-time debugging settings? The asymmetry between what's available in XCode vs a "real" shipped app seems odd.
Is there a similar standard way that I can configure my app for multiple different environments that works on shipped applications and ideally just involves reading some value at runtime rather than using conditionals and/or using compiler flags or something?
You are correct. The Environment Variables are only meaningful when executing the Scheme in Xcode. Their primary use in that context is to activate debugging features that are not on all the time. For example, if you try to create a bitmap Core Graphics context (CGContext) with an invalid set of parameters, the debugger may tell you to set an environment variable to see additional debugging output from Core Graphics. Or you can set environment variables to turn on memory management debugging features.
When you are running an application on a server, the Unix framework in which the application is running is part of the "user experience". In that context it makes sense for the application to use things like environment variables.
As developers we understand that a mobile app is running inside a unix process, but that unix environment is mostly unavailable to us. A similar feature that is common to Unix apps is command line arguments. An iOS application on startup receives command line arguments (argc and argv) but there is no way specify those when the app is launched either.
There are a number of places you could include configuration information like that which you describe in your application. The most common that I can think of is to include the setting in the applications Info.plist. At runtime you could access the contents of the property list by fetching the main bundle and asking for it's infoDictionary:
let infoBundle = Bundle.main.infoDictionary
let mySetting = infoBundle["SomeSetting"]
When the application's info.plist is created, it DOES have access to the environment variables declared in the Scheme so you could put the environment variables in the scheme, reference them in the Info.plist, and retrieve them at runtime from the main bundle.
try Using FeatureFlags, maybe will help you, check this
https://medium.com/#rwbutler/feature-flags-a-b-testing-mvt-on-ios-718339ac7aa1
Is there a way to easily distribute an electron.atom.io app as a static site?
I don't need all the functionality, I just want to allow the client to view the latest updates.
-- edit --
Perhaps a better way to ask the question is; "How do I build a web app that can be hosted online and run on electron with minimum rewriting" - similar to the Slack app that works the same way on web or electron app.
As long as your main use of Electron is to create a 'native browser wrapper' for a web-app this is entirely possible.
You will have to implement a check if your application is running inside a browser or inside Electron and wrap your electron specific code in it:
if (window && window.process && process.versions['electron']) {
const {BrowserWindow} = require('electron').remote
}
You'll probably have to step through your application and disable Electron specific functionality at multiple places.
You have other options to do a long distance demo of an Electron app
Electron is basically a shell to run node.js apps on the desktop. This means if you want to move it to the web, you have to give up all the Electron APIs that access the local system and you're left with a basic node.js app, which is most likely not desirable.
To demo your desktop app to an off-site client, you can either make a presentation with screenshots detailing the current user flow, or compile a sandboxed demo version of your app and send it over to them.
Screen presentation
This is your quickest and easiest solution if your client just wants to be kept in the loop and see some eye candy. You can just record how the app works with some example data, add some written or audio explanation to it, and let them enjoy the smooth ride.
Build a demo
If your client wants to actually have a hands-on demo with the app, you need to have some form of basic code distribution. The cleanest way to do this would be to tie up all loose ends in your current app flows, block all unfinished roads in it and compile it for whatever platform your client requested the demo for.
Take a look at the electron-packager and electron-builder docs to get an idea how to build an .exe, .dmg or whatever file from your Electron app, then send that file to them with some basic instructions.
I've been working on integration of Passbook for some of my apps. Right now, I've used Ray Wenderlich's tutorial on this, and it is quite frankly a pain to build even one Pass. I have to get the icon files all in place, program the JSON file, get the manifest file filled in with all the SHA1 values, and run a few lines in terminal to sign it, and then another line to zip it. Are there any online services or programs that can be used to save a pkpass file to computer, that I can then upload to my server?
There are also quite some developer tools that help you to create passes, you can find a list on wikipedia.
We provide an Objective-C SDK and a free cloud service that lets you create templates and generate passes. You can find the SDK on github (Sample App is included).
There are a number of services that can be used to generate passess. Take a look on wikipedia for a comprehensive list of providers, tools and projects.
If you want to update passes, then you will need to build a Passbook Web Service. When a pass is updated, the web service sends a new .pkpass bundle to the device. Therefore, your web service must also be capable of signing passes unless you want to manually create and upload them to your server before sending out a push request.
Using our service, PassKit, you can create a template using WSIYWIG editor then create a pass directly on your server via a simple API call. You can also update passes and push updates to passes via our API. If you just want to get hold of the .pkpass bundle, then you can append /d to the pass URL (the one beginning with r.pass.is), or use PassKit API in your User Agent string.
you should also check out Apple's Passbook Support Materials here:
https://developer.apple.com/passbook/
They have a simple XCode project called SignPass that you can use to easily create your own Passes.
Note: you need to be a member of Apple's Developer program to access these materials ..
There's lots more Passbook related info here:
http://www.flonsolutions.com
Andrew
Symfony worked great for us when we were a small team of trusted developers. Now however, we are getting more people to help out, which leads to a problem with managing production passwords checked into source control.
I have production passwords for our DB, API keys, etc. stored in the Symfony config files which I do not want all developers to have access to. How can I hide these passwords from unauthorized developers and yet still grant them access to the source code?
If you're already using a version control: your first stop should be removing all passwords from the history in your versioning system. Good luck ;-)
Next: isolate the files which have passwords in them. (Probably config/databases.yml and apps/<yourapp>/app.yml.).
Copy/rename this files to *.yml.dist (for example: config/databases.yml.dist). Clean up all production passwords from these files, and leave only
the bare minimum to keep it going.
Make sure the original files don't appear in your VCS ever again. (svn ignore, or the likes).
Now when you set up a new environment, you can just copy the *.dist files to their 'real' names.
(What I did for my project is move all API keys to a single apikeys.yml in the config directory. That way all the properties in the app.yml keep being versioned, and my api keys don't appear in the VCS.
Hope you get the answer for your question. Recently I have implement these kind of works in my project.I think to store these kind of confidential data database is the safe options and get this data using filter is the best option no need to store your data in app.yml.
I am using someone else's library that provides its own scripting host instance, it appears.
This lib provides me with functions to define the type of scripting language such as "jscript" and "vbscript", and I can supply it with script code and have that executed, with passing arguments in and back. So, basically, it works.
However, when I try to access the "WScript" object, I get an exception saying that this keyword is undefined.
The developer, not knowing much about this either (he only made this lib for me because I do not want to deal with Windows SDKs right now), told me that he is using "IScriptControl" for this.
Oh, and the lib also provides flags to allow "only safe subset" and "allow UI", which I set to false and true, respectively.
Does that ring a bell with anyone? Do a user of IScriptControl have to take extra steps in order to make a WScript object available? Or, can he use IScriptControl in a way that this is supplied automatically, just as when running the same script from wscript.exe?
Basically, all I need is the WScript.CreateObject function in order to access another app's API via COM.
I don't know why WScript is not known, but I suspect it is because the script host doesn't provide it. Maybe only wscript.exe does this.
If you are using Javascript, to create an object you can use new ActiveXObject(). If you are using VBScript, you can just use CreateObject.
See this article for some background.