I'm working on an app that is reading it's data from a customized RSS feed, that contains information about events. The feed is parsed with the GData XML framework, and written to SQLite with the FMDB wrapper.
The feed information is created on the server by a web-app.
I'm now thinking about how I can make the app bullet proof against hacking attacks that might get through the servers validation. I have seen some threads here about SQL Injection, so I have information regarding that.
Are there other attacks/mechanisms to consider?
The information in my feed is not secret, I'm only after a well working app that can not be hacked easily.
[late answer]
You should harden your server. There is not much you can do to secure the feed itself against man in the middle unfortunately, as SSL and/or XML signature is not really defined for RSS.
Related
I would like to use some publicly available data from a government website as a source of data in an iOS app. But I am not sure what is the best / most polite / scalable way have a large number of users request data from this website with the least impact on their servers and best reliability for me.
It is 1-50kb of static XML with a fixed URL scheme
It updates with a new XML once a day
New users would need to download past data
It has a Last-Modified header but no caching headers
It does not use compression or a CDN
It's a government website, so if someone even replies to my email I doubt they are going to change how they host it for me...
I'm thinking I could run a script on a server to download this file once a day and re-host for my app however my heart desires. But I don't currently run a server which I could use for this and it seems like a lot just for this. My knowledge of web development is not great, so am I perhaps missing something obvious and I just don't know what search terms I should be using to find the answer.
Can I point a CDN at this static data somehow and use that?
Is there something in CloudKit I could use?
Should I run a script on AWS somehow to do the rehosting without needing a full server?
Should I just not worry about it and access the data directly??
You can use the AWS S3 service (Simple Storage Service).
The flow is somewhat like this:
If the file doesn't exist on S3 yet, or, if the creation date of the file on S3 is yesterday, the iOS app downloads the XML from the gov site and stores it in S3.
If the file exists on S3 and is up to date, download it from S3.
After that, the data can be presented by the app without overloading to the site.
I think the best way for you is to create an intermediary database where you can store your data in a secure manner.
Create a pipeline that does some data transformation and store in you newly created database.
Create an api with pagination and you desired filters
Also make sure you are not violating any data policies in the process.
I hope this helps.
I am currently developing an app for a friend's business (so it's clear that I am not a professional developer and he's not going to get the perfect app). He needs the app to display and be able to interact with data from a MySQL database. I have already tried to find a way to do this but they mostly include a PHP script that just generates a json document which the app can then read. I cannot do that because the data includes customer information that can't just be accessible like that without some form of authentication from the app. The app will only be used by employees at work and on specific devices so storing the data locally is not a problem. Is there maybe a way to create a local cache of the database and then work with that? I would also be open to use other database software that can handle spreadsheet-like data.
Thanks in advance for any response!
Assuming your app going to get JSON data through PHP API. In that case, PHP API should encrypt the JSON data and your app will decrypt it. If you want to protect your data on users device, one of the option to use cipher SQLite.
You can any use symmetric or asymmetric encryption technique to encrypt the API response.
Here is good post to read.
https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences
what Tin Can API can do other than storing the state of the agent and how can we retrieve the publicly stored statements from Tin Can API
Thanks in advance
You can do a lot with the Tin Can API (Experience API). The point of the xAPI is to store user experiences, anything from I completed a course to I started watching a video. I've seen or worked on things as simple as using the xAPI to send SCORM tracking to an LRS, to support mobile, tracking sensor data from field exercises, to storing information collected in games and simulations. And the Experience API gives you the ability, like you said, to get data back out in a standard way, to support reporting and evaluation of data.
There are groups working with the Experience API to do interesting things. https://groups.google.com/a/adlnet.gov/forum/#!forum/xapi-design
There is also a spec working group forum where you can get more resources and answers: https://groups.google.com/a/adlnet.gov/forum/#!forum/xapi-spec
There are also resources and articles talking about what you can do with the Experience API. http://www.adlnet.gov/tla/experience-api/
and http://en.wikipedia.org/wiki/Tin_Can_API
There are some open source projects on ADL's GitHub page that also show how you can use the Experience API. https://github.com/adlnet
For sending and retrieving info from an LRS in web browsers there's a JavaScript library: https://github.com/adlnet/xAPIWrapper .. it's been built and minified..you can just include the xapiwrapper.min.js in your page and use the readme examples to get started.
For reporting and querying data you can look at the new project: https://github.com/adlnet/xAPI-Dashboard
There's a starting Java library to make talking to an LRS easier in Java, which could be used for regular Java apps or for Android apps: https://github.com/adlnet/jxapi
They're also starting a JQuery Mobile Plugin: https://github.com/adlnet/xapi-jqm
And even an example of using the Experience API with MedBiquitous and Common Core competencies to identify learner's progress toward becoming competent in some aspect: https://github.com/adlnet/xci
As for your question about getting statements from an LRS, you would just do a GET request to the statements endpoint. The spec currently says that requests must include the Experience API version header: https://github.com/adlnet/xAPI-Spec/blob/master/xAPI.md#62-api-versioning . And you will probably need to authenticate as a client using the LRS. This is generally done by registering on the LRS and getting some sort of credentials. This will vary based on the LRS you use, but they all have instructions on how to use and send the credentials. https://github.com/adlnet/xAPI-Spec/blob/master/xAPI.md#64-security
ADL's hosted example LRS opened up the GET statements endpoint so that people new to the Experience API could hit it and see statements without needing to figure out the request rules: https://lrs.adlnet.gov/xapi/statements
It's now trivial to create a web app that sits atop Parse.com. Now that I have this webapp, I want to expose parts of it to other developers via an oauth accesible api. So, they can develop an app that lets my site users 'give them permission' via oauth and they can now access the api.
How would I start going about doing this?
Update: After #Mubix response, I felt the following clarification would help
Currently I am accessing Parse from the server via a REST api, to get around any javascript security issues re:api keys etc. So, the api would be served of a server other than Parse. Also, the server code is in javascript / nodejs. I came across https://github.com/jaredhanson/oauth2orize which seems a likely candidate, was wondering how others are doing it and if anyone has actually gone a further step and integrated Parse access.
Hmmm .. Intereesting question!
Legal:
First of all their ToS doesn't seem to prohibit what you are trying to do but you should read it carefully before you start.
Implementation:
While parse doesn't provide feature to build your own APIs you could implement something yourself. You could treat the third party developers as users of your app. And you can use the ACL to control access.
Problems:
I don't see any way to implement oAuth entirely within parse.
How will third party apps access your API? Ideally you would like them to use a REST interface but with the parse.com REST API you won't be able to manage access to different parts of your data.
Conclusion:
It seems like too much trouble to implement the API entirely within parse. I would suggest that you write a thin API layer that takes care of auth and uses parse as the backend. You can use one of the service side libraries available for parse. eg. PHP Library, Node Parse.
What are the ways of accessing web services on a BlackBerry device?
I've learned about XML for webservices. We use SAX and DOM parsers in Blackberry. Are there any more ideas like this?
I also want to know what KSOAP is and how to use it on BlackBerry.
AFAIK, kSOAP is a library that lets you post soap requests to your web service. If the service accepts a simple POST request, the easiest way would be to use HttpConnection. Here's a good tutorial
I've also used kXML2 for XML parsing, and that has worked out well for me till now.
Additionally, including 3rd party libraries is a pain (kSOAP and kXML), so here's a guide that will hopefully save you some time.
You can try http://wsclient.neurospeech.com/wsclient/java-android-blackberry/ which supports soap code generation for blackberry with additional library that manages everything, it generates native typed soap client and calling them is very easy. Otherwise you will be spending lot of time in xml to your types and types to xml conversions and so on. Plus date and many things are little complex to handle.