I have one more doubt with RuntimeStore.
I am able to exchange strings using RuntimeStore.
But i want object also to be exchanged.
Example: 3 independent applications are there A, B, C.
A creates an object of C an share it with B using RuntimeStore, and then B will use the same object and invoke the methods or data of C.
Can we do something like this using RuntimeStore.
I couldn't find it.
If you have any idea please share them with me.
Thanks.
The Runtime Store can be used for inter-application communication. As long as your two applications maintain the same data schema you shouldn't have a problem allowing for upgrades.
There is an example at the link that should help you get it going.
Runtime store can be used to exchange data. It would be better if we can know when is the data exchanged as well. You could use GlobalEventListener or Notification Manager for this purpose. Using these, you can express interest to receive certain types of events and register a listener [the same way as action listener on a button]. And when such an event occurs you could read the data from Runtime Store. But callback of Global Event Listener itself can accomodate the data exchange as well.
Hope it helps.!
Here is an example for you to check out. Actually, this is an honest example of IPC that really answers your question. You might also want to consider the security of the data you are supposedly exchanging.
I am not sure what is your intention and objective. Let me present you with different scenarios and provide plausible solutions.
There exists a 3rd party application A and you are authoring application B. Now your application is interested in invoking some services of A or some protected /sensitive/personal features. If this is the case, you could use specific and pre defined and well known permissions that are defined here and then ask system to provide you with those permissions. System in turn asks the user that application B is requesting permission for a list of operations. A UI is presented to user to request permissions. If user grants them, your application will in-turn be granted; else your application will be denied permission.
You are the sole author two applications A and B and have complete control over both the applications. Your objective here is to exchange some data securely, even in presence of other rogue applications that can sniff data. In this case, you could use Application Manager's postGlobal event and Global Event Listener to signal when exactly to exchange the data. Now, you can use RuntimeStore to exchange data; in order to put security in this exchange, you could sign the data with your keys and place it in runtime store. Only the other entities that can provide credentials will be granted access to your data on run time store. This is called controlled access to private data
RuntimeStore.put( MY_DATA_ID, new ControlledAccess( myHashtable, codeSigningKey ) ); // in application A
Hashtable myHashtable = (Hashtable) RuntimeStore.get( MY_DATA_ID, codeSigningKey ); // in Application B
The notification between applications A and B can also facilitated by Notifications Manager.
So, let us know what exactly is you are trying to accomplish. We can accordingly direct you to code examples.
Related
I am currently creating an iOS application with Swift. For the database I use Firebase Realtime Database where I store among other things information about the user and requests that the user sends me.
It is very important for my application that the data in the database is not corrupted.
For this I have disabled data persistence so that I don't have to store the requests locally on the device. But I was wondering if it was possible for the user to directly modify the values of the variables during the execution of my application and still send erroneous requests.
For example the user has a number of coins, can he access the memory of the application, modify the number of coins, return to the application and send an erroneous request without having to modify it himself.
If this is the case then is it really more secure to disable data persistence or is this a misconception?
Also, does disabling access to jailbroken devices solve my problems? Because I've heard that a normal user can still modify the request backups before they are sent.
To summarize I would like to understand if what I think is correct? Is it really useful to prevent requests to save locally or then anyway a malicious user will be able to modify the values of variables directly during the execution and this without jailbreak?
I would also like to find a solution so that the data in my database is reliable.
Thank you for your attention :)
PS : I also set the security rules of the db so that only a logged in user can write and read only in his area.
You should treat the server-side data as the only source of truth, and consider all data coming from the client to be suspect.
To protect your server-side data, you should implement Firebase's server-side security rules. With these you can validate data structures and ensure all read/writes are authorized.
Disabling client-side persistence, or write queues as in your previous question, is not all that useful and not necessary once you follow the two rules above.
As an added layer of security you can enable Firebase's new App Check, which works with a so-called attestation provider on your device (DeviceCheck on iOS) to detect tampering, and allows you to then only allow requests from uncorrupted devices.
By combining App Check and Security Rules you get both broad protection from abuse, and fine-grained control over the data structure and who can access what data.
So I am going through the security rules documentation of firestore right now in an effort to make sure the data users put in my app will be okay. As of right now, all I need users to be able to do is to read data (really only the 'get', but 'read' is fine too), and create data. So, my security rules for the firestore data right now are:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /jumpSpotAnnotations/{id} {
// 'get' instead of 'read' would work too
allow read, create;
}
}
}
I have the exact same 'allow read, create;' for my storage data too. Will this be okay upon release or is this dangerous? In the documentation, they write:
"As you set up Cloud Firestore, you might have set your rules to allow open access during development. You might think you're the only person using your app, but if you've deployed it, it's available on the internet. If you're not authenticating users and configuring security rules, then anyone who guesses your project ID can steal, modify, or delete the data."
This text precedes an example where the rules are, 'allow read, write;', as opposed to my 'allow read, create'. Are my rules also subject to the deletion/modification of the data? I put create because I assume that that only lets people create the data, and not delete or modify it.
Final part of this question, but how could a user guess my project ID? Would they not have to sign in on my google account to then be able to manually delete, modify, or steal data? I'm not sure how that works. My app interface allows for the user to only create data, or read data, nothing else. So could some random person still somehow get into this database online and mess with it?
Thanks for any help.
Your rule allows anyone with an internet connection to read and create documents in the jumpSpotAnnotations collection. We don't know if that's "safe" for your app. You have to determine for yourself if that situation is safe. If you're OK with someone anonymously loading up that collection with documents, and you're OK with paying for that behavior, then it's safe.
Your project ID is baked into your app before you publish it. All someone has to do is download and decompile your app to find it. It's not hard. Your project ID is not private information.
No, your rules are not secure, to understand how someone can guess your project id and steal data first you have to understand that Firebase provides a simple REST API to access stored data. All of the data is stored in JSON format, so public databases can be accessed by making a request to the database URL appended by “.json”.
Now the main concern that how someone can guess your project id, see there are many tools available through which you can set up a proxy on your network and analyze each and every request going through. As Google already said that firebase simply uses rest API so the API endpoints can be known easily by intercepting HTTP requests and then if your rules are not secured then your data could be compromised.
Now solution, how to protect your data. See there are many ways even firebase provides tons of ways to secure data just read their docs about database security. But there is something which you could do from your side so that if your data is compromised then also someone can't actually read it.
You can prevent the apps from reading the data in plaintext. Use public-key algorithms to encrypt the data. Keep the private key on the systems that have to read the data. Then the app cannot read the data in plain text. This also will not prevent the manipulation or deletion of data.
I want to publish data using Particle.variable just so that on device reset, I can then read my latest state from the web again. Is it possible to read the data I had published from the device from the Cloud?
Short answer: It is probably possible!
Longer answer: Unfortunately, this doesn't seem to be supported directly by the Cloud Functions API (https://docs.particle.io/reference/firmware/photon/#cloud-functions). Most of these functions are geared towards sending data from the device, and the only one geared towards receiving data appears to be subscribe, which would require somebody else to publish while you are listening.
Of course, this device can make arbitrary HTTP(S) calls so you could use the TCPClient (https://docs.particle.io/reference/firmware/photon/#tcpclient) to make calls to get a variable value! (https://docs.particle.io/reference/api/#get-a-variable-value)
This will require you to have an access token, however. So, you could:
1. Generate an access token out-of-band (manually on your computer)
2. Embed the access token in your code (WARNING do not publish code with your token embedded)
3. Make API calls to get the variable value
This might not work well if you want to release this product more broadly, and it might break down if the access token expires or is otherwise invalidated.
You may also want to look at using EEPROM for persistence if your data is very small (https://docs.particle.io/reference/firmware/photon/#eeprom).
Our system has two servers (S1) one is running processesing and data storage (basically DB) and the other one is a webserver (WS).
There are two types of even that can happen in the system:
User A pings User B. In this case we check if user B is logged in and we push a notification to User B client throw SignalR. It works.
Services constantly running on S1 and generating new data that concenrs multiple users. My goal is as soon as a new data important for user A is generated I immediately want to dispatch a signalR notification to user A client provided he/she is logged in.
This part 2 is not quite clear for me how to design. My thought right now is to start an indefinite process on webserves that monitors our DataBase and checks if new records are generated fpr this user and then push a SignalR message.
That would be fine, but now we have 10k users logged in and I don't think the right decision would be run 10k threads monitoring activities.
Basically, my question is what would a proper way do design signalR based notification mechanism that is based on events that are not originated on our webserver.
I would use a service bus or mq, for example this Free MQ https://www.rabbitmq.com/
You can proxy the messages direcly to the Clients using this proxy library (I'm the author).
Doc's here https://github.com/AndersMalmgren/SignalR.EventAggregatorProxy/wiki
Demo https://github.com/AndersMalmgren/SignalR.EventAggregatorProxy/tree/master/SignalR.EventAggregatorProxy.Demo.MVC4
You can also set up a sql dependency that triggers a message to your signalr clients,
http://techbrij.com/database-change-notifications-asp-net-signalr-sqldependency
This link is the one that I based my code on.
couple of things to watch for, the setup of the table. You cannot use 3 part table names
"SELECT [CMRID],
[SolutionID],
[CreateDT],
[ModifyDT]
**FROM [dbo].[Case]**
WHERE [ModifyDT] > " + LastExecutionDateTime;
Also, and this is very important, you MUST reset the event handler every time the dependency triggers, if not it will work the first time and then stop working.
I hope this helps you.
I am convinced that I want to use Glimpse for my project, but I would like to learn a bit more about the security model.
From what I can tell, when you turn Glimpse on, it simply writes a set of cookies to the client. When Glimpse receives these cookies, Glimpse begins to record information for the request and then sends it to the client.
Seems like I could just set the cookies for a site I know uses Glimpse and I would then be able to see their information.
I highly doubt this is how it works, so I would like to know what features are in place to prevent exposing server information.
Glimpse uses a collection of configurable Runtime Policies (http://getglimpse.com/Help/Custom-Runtime-Policy) that dictate how Glimpse responds to any given HTTP request.
Glimpse already adds some Runtime Policies out of the box that filter requests based on content types, http status codes, remote or local access, Uri's...
You can also build your own by implementing the IRuntimePolicy and check for instance if a user is authenticated and member of a specific group and based on that allow Glimpse to gather and return data or not. Such an example can be found at the link above.