i've created program that use FTP to upload some files. Now the problem is that someone can use simple decompiler to see source code (my ftp account details) , what is the best way to encript my program. Is it only possible to encrypt details of my login, or to prevent someone from decompiling my program ? Also I've though about getting data from external source with HTTP request. Would that work ?
The simple answer is that there is NO WAY to prevent someone decompiling your code.
You can hide embedded passwords using some simple tricks like XOR-ing them with a "key". Or complicated tricks ...
However, if the program is self-contained, then it must be able to recover the hidden password for itself when it runs. And if it can do that, then a hacker can figure out how it does that and do the same calculations hirself.
Related
I know that someone mean will probably close this question for being opinion, but the truth is, I'm not after opinion as such, but actual facts about the correct way and how to do this.
I've been searching around for quite a time and I'm still unclear as to what direction to take. It seems there are a billion* libraries that I could use, but I want to know what would be the correct, proper supported method of achieving this.
Essentially, I have a very simple requirement to list and download files from Sites on our Office 365 subscription to an iOS application.
Initially, I looked at the REST interface for Sharepoint and, from a browser, was able to easily perform a GET to our site and receive and receie a response with meta data about the file, for example:
https://mytenantid.sharepoint.com/_api/web/getfilebyserverrelativeurl('/MyFile/Here/Document.txt')
I could also retrieve JSON output instead of XML by specifying an Accept header of application/json using the POSTMAN REST client for Chrome.
So far, so easy. Just the authentication to do outside of the browser and that's it.
Phew!!
I started by looking at Basic authentication, but wasn't sure if this is the right way to do it and even if it would work?
On looking further, it seems that actually, using OAuth might be the way to go. Apparently, you can either do this yourself (no idea how), or use a library (ADAL?) from Microsoft? Unfortunately, this all looks half baked will very little documentation that seems to work. It also requires the use of CocoaPods and workspaces and isn't just a simple library that I can copy to my project and start using (a la SwiftyJSON). There also seems to be a lot of other libraries around too.
I should mention that I'm using Swift, so I've tried converting code from Objective C to Swift (unsuccessfully) too. Apparently I can't use "readWithCallback" with an argument list that the code tells me I should actually use -- even a sample application I downloaded had the same issue.
I've also tried using node.js with a script (not a Web Application) and the documentation and number of libraries available for that is almost worse.
Any assistance to achieve this really simple capability would be hugely appreciated -- it's been driving me nuts.
Many thanks,
D.
*this might be a slight exaggeration.
Office 365 has a RESTful API that you can use any programming language to authentication and integrate in your app.
Here is a simple example for iOS connected app to office 365. The sample shows how to do this in Objective C and SWIFT.
https://github.com/OfficeDev/O365-iOS-Connect
If you want to full iOS samples for office 365 connected apps, Check out this link:
https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples
Enjoy :)
Im trying to send some data to a form on a site were im a member using cURL, but when i look at the headers being sent, they seem to have been encrypted.
Is there a way i can get around this by making the computer / server visit the site and actual add the data to the inputs on the form and then hit submit, so that it would generate the correct data and post the form ?
You have got a few options:
reverse engineer the JavaScript that does the encryption (or possibly just encoding) process
get a browser engine (e.g. the Gecko engine), and add some scripting to it to fill in the forms and push the submit button - of course you would need JavaScript support within the page itself
parse the HTML using an HTML parser, feed the JavaScript in it to a JavaScript runtime with the correct libraries, fill in the "form" and hit the submit button
It's probably easiest to go for the first option. The JavaScript must be in the open to be able to be executed in the browser. But it may take some time to reverse-engineer as it is likely obfuscated.
You can use a framework to automate user interaction on the web pages, like Selenium.
This would enable you to not bother reverse engineering anything.
Selenium has binding in various languages, including Python and java.
Provided the javascript is visible on the website in question, you should be able to simply copy and paste their encryption routines to prepare the headers exactly as they do
A hacky fix if you can isolate the function that encodes the data you type in the form - is to use something like PyV8 to execute the JS inside python.
Use AutoHotKeyIt and actually have it use the Browser Normally. It can read from files, and do repetitive tasks infinitely. Also you can push a flag to make it only happen within that application, which means you can have it minimized and yet still preform the action.
You seem to be having issues with the problem of them encrypting the headers and such, so why not simply use that too your advantage? Your still pushing the same data in, but now your working around their system. With little to no side effect too you.
I am trying to build a web based flash application. I am quite new to flash. I would like to develop it in two forms - demo and paid version. For this application to act as a paid version I need to have some kind of serial key. In order to achieve this I googled and came across something like this
MD5(MD5(thisuri)+thisuri)
I think 'thisuri' points to the current url page but I don't know how to get that url and I don't know whether '+' acts as a character or an operator.
Can you please help me?
It seems that a library exists in AS3.0 : as3corelib
An ActionScript 3 Library that contains a number of classes and utilities for working with ActionScript? 3. These include classes for MD5 and SHA 1 hashing, Image encoders, and JSON serialization as well as general String, Number and Date APIs.
To use it, just download the zip file, decompress it and copy the contents of "src" directory to the root of your project.
Then in your actionscript code, simply do the following :
import com.adobe.crypto.MD5;
var hash:String = MD5.hash(”test”);
source in french
To add to #Julien's recommendation of using as3corelib, you will also need the advice from this post to get the current url: Get Current Browser URL - ActionScript 3
Somehow I think there's a more elegant way to get the url, but I don't remember it.
While this may provide you with some basic check for the paid version, a determined hacker will easily fool this algorithm. For example, I could fool the environment into thinking that its being served from a domain that you've registered as part of the "paid" version. Also, since the client has the flash code, they can decompile the binary and potentially see the algorithm you're using. Depending on what you're offering in the app, this extreme case may or may not be acceptable to you.
Look into more secure authentication mechanisms if you're serious about security.
I would like to access certificates stored in Mozilla products (Firefox and Thunderbird) from a Delphi (XE) applicaiton. For start I would like to list them, next it would be nice to be able to manage them (import, export, delete) and use them (sign). The software token would be sufficient although using all tokens supported by mozilla would be great.
So far I tried using XPCOM with http://d-gecko.svn.sourceforge.net/viewvc/d-gecko/trunk/ delphi binding. However there is not much documentation around and I am kinda confused with all the terminology and concepts. The best I could manage was:
var ns:nsIX509CertDB;
servMgr:nsIServiceManager;
p:Pchar;
begin
GRE_Startup;
NS_GetServiceManager(servmgr);
servMgr.GetServiceByContractID('#mozilla.org/security/x509certdb;1',NS_IX509CERTDB_IID,ns);
ns.FindCertNicknames(nil,1,count,p);
GRE_Shutdown;
end;
Using this code I did get instance of certdb object and I was able to ask it for certificates. However it seems to be completely empty (count from FindCertNicknames is 0) and it also does not react on changing OCSP (IsOcspOn always returns true). I am thinking that I did either create new certstore or that I need to activate default user profile somehow.
I also tried accessing softokn.dll as a PKCS#11 library. As this seem to have some sort of PKCS#11 API, it is not responding well. I.e. CKR_BAD_ARGUMENTS on C_Inititialize.
The last and really bad way would be accessing certificate files directly as it should be "standard" NSS but I realy do not like this way.
Our SecureBlackbox works with softtokn.dll via PKCS#11 and you can use interfaces provided by SecureBlackbox for handy certificate management.
I explored the PKCS#11 way a little more and I actually got it to do something. The softokn.dll library is "almost" standard PKCS#11 library, see https://developer.mozilla.org/en/PKCS11_Module_Specs . The key thing is that you need to initialize it with special arguments (the structure is described in the linked URL).
Its also handy to check the NSS erorr return values: see CKR_NETSCAPE_... at http://people.mozilla.com/~chofmann/l10n/tree/mozilla/security/nss/cmd/pk11mode/pk11mode.c .
The last key thing is that you need to specify the tokens by hand as the documentation is unclear about using secmod.db - there is a missing word, probably "supported", in "The MOD DB function is not through standard PKCS #11 interfaces".
All this is rather low-level coding and will still need a lot of work so it may be better to use SecureBalackbox as suggested by Eugene if you are starting from scratch.
Is there any ruby gem/ rails plugin available for parsing the resume and importing that information into an object/form ?
I may be wrong, but I don't think you'll find anything completely automated to do this, because a résumé (or CV) can be structured in so many different ways and can contain very different types of data. Any completely automated solution is likely to have accuracy problems, since it is technically a difficult problem to solve.
You may find this answer useful.
Here are some other suggestions that might help :-
Require a user to enter their details into a form on your website instead of uploading a Word document. You'll then be able to explicitly ask for the data you want and you'll be able to store the data in a structure that suits you. However, this may be too much of a barrier to entry for your users.
Allow a user to submit the URL of their résumé published using the hResume microformat. Sites like LinkedIn already publish résumés in this format. There is a Ruby gem mofo which can parse microformats including hResumes. However, not all users will have an on-line résumé like this.