I have an encrypted connection from my ios app to my mysql database. My question is whether or not they would be able to intercept the connection form the ios app and find the domain with or without an encryption
whether or not they would be able to intercept the connection form the ios app
Yes, they would be able to do so. At least surely using a jailbroken device - for jailbroken devices, there are a couple of factors that make hacking easier.
On the one hand, on a jailbroken system, it is possible to prevent Apple's encryption of the app executable (by dumping the unencrypted program code from memory to the disk) and run a utility called "class-dump" to obtain the Objective-C class information (it is also possible to use the GDB debugger on the device or IDA Pro in order to reverse engineer the application logic).
On the other hand, the same MobileSubstrate library that is used for making iOS tweaks can be used to alter the behavior of any given application (I have successfully used this technique for circumventing some code obfuscation at runtime), so in theory an attacker would alter the communication logic of your application and dump the unencrypted data of yours and your users.
On the gripping hand, most standard and less-used Unix utilities usable for such kind of hacking are ported/compiled for jailbroken iOS - including the popular network sniffing tool nmap, the "John the Ripper" password cracker, the infamous aircrack-ng WEP/WPA key cracker, the GNU debugger (GDB), etc. These are also useful for executing an attack you described.
If the connection itself is encrypted, then, in theory, your data should be safe while in the wire. This still doesn't prevent the MobileSubstrate-based approach to exploitation. It is also true that the IP address of the server you're connecting to can be found relatively easily (end even the domain it is matching, since there are also known techniques for obtaining reverse-DNS information using a known IP address).
I'm not sure if this is possible without a jailbreak, but a similar man-in-the-middle attack was performed against Apple's in-app purchases by a Russian hacker (effectively rendering ineffective the underlying payment system and allowing purchases to be freely downloaded), merely by requiring users to install SSL certificates, profiles and using the hacker's own proxy server, so I'd suspect it is possible even without a jailbreak. Note that in this case the connection was also encrypted, and it was not the encryption that mattered.
You should not imo create a direct connection to the mysql-database but instead pursue a connection with a server program/api with a connection to the database in question. To answer the question more directly users should not be able to intercept the connection from the ios-app if it is encrypted correctly but still, is it worth that risk?
If the connection is encrypted, the data are secure. But not the domain. The iPhone is connecting to an IP Address, and that IP Address is obviously not encrypted.
Create a PHP interface between your app and the Mysql. Doing this they will be able to hack only app-accounts not the entire database! Your Mysql credential will be stored in the remote domain where the PHP code runs.
Related
I have a VB6 application that connects to a MySQL DB. The username and the password are in the source code. The problem is that when I open the .exe file in a hex editor the username and the password are both visible.
Can you suggest a solution so that the username and the password would be no longer visible?
Thanks
As long as those credentials are in your application, someone with a little knowledge can find and read them.
If you encrypt that information, you'll need to decrypt it at some point. So you'll either need the decryption key in the app - so people can read it too, rendering the whole thing moot - or you'll be decrypting server-side - in which case anyone else could just send the encrypted credentials as well.
So here's a tip: don't base the security of your application on having some secret buried within the code. You'll just be presenting script kiddies with an interesting challenge.
You really need a middle tier.
Wherever practical you want to avoid sharing the database credentials with clients. Ideally you don't even want firewalls to allow database connections from outside.
Client/server DBMS connection protocols are not optimal for use across the Internet anyway.
These are all reasons why the "web service" concept came about, and was being used even before the phrase had been coined.
Of course that still leaves you with the need for credentials at the client. I'd handle this by storing them externally so that they can be updated. You might also want to use two stages of decryption in your programs so that you can divide the process up, making it harder to reverse engineer from decompiled/disassembled code. Do one stage early in initialization and the other later, or do stage two just prior to making your connection.
My users are using MS Access and ODBC connector to connect to my remote MySQL database. I wonder how secure this is, in the sense of possible password disclosure to 3rd party. Is the mysql protocol authentication safe to eavesdropping or even man-in-the-middle attacks? I would be quite happy with safety against eavesdropping. Note that my concern is only authentication, I'm not concerned about data disclosure.
Please don't reply that I should use SSL. I know this would be ideal however the setup doesn't seem very simple. Anyway, I would like to know what is the safety level of plain mysql protocol.
What is it that you want to be "safe to eavesdropping or even man-in-the-middle attacks"? Your password, or your data?
The title of your question refers specifically to authentication. MySQL does a reasonable job of protecting your password from eavesdroppers (it is not sent plaintext, and the use of a nonce defeats replay attacks). Citing MySQL protocol internals:
MySQL 4.1 and later
Remember that mysql.user.Password stores SHA1(SHA1(password))
The server sends a random string (scramble) to the client
the client calculates:
stage1_hash = SHA1(password), using the password that the user has entered.
token = SHA1(scramble + SHA1(stage1_hash)) XOR stage1_hash
the client sends the token to the server
the server calculates
stage1_hash' = token XOR SHA1(scramble + mysql.user.Password)
the server compares SHA1(stage1_hash') and mysql.user.Password
If they are the same, the password is okay.
(Note SHA1(A+B) is the SHA1 of the concatenation of A with B.)
This protocol fixes the flaw of the old one, neither snooping on the
wire nor mysql.user.Password are sufficient for a successful
connection. But when one has both mysql.user.Password and the
intercepted data on the wire, he has enough information to connect.
However, authenticated sessions continue in plaintext: an eavesdropper will be able to see all queries and results; and a MITM would be able to make alterations to the same. As stated in the manual:
By default, MySQL uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between client and server.
Whilst you may not like the answer, SSL is the tool designed to defeat both data eavesdropping (how else can the communications be encrypted?) and MITM attacks (how else can either party verify that its peer is who it thinks it is?). Indeed, if the mysql client-server protocol alone defeated these threats then there would be no reason to use mysql over SSL (and thus it would be unlikely to be a supported configuration).
Short answer: Yes, the protocol is safe from Eavesdropping and MITM attacks.
Only if the attacker manages to sniff an authentication attempt AND if the attacker knows the contents of mysql.user, then he can subsequently authenticate against the server. For example if you're using the same password on two different mysql servers and the attacker gains access to one of them, he can also connect to the second server.
I'm thinking about writing a Javascript based MySQL client.
The client would work like MySQL Query Brwoser, and would connect to a remote MySQL db.
Are there any - client side - Javascript - MySQL communication libraries?
I've found this topic: How to connect to SQL Server database from JavaScript in the browser?
Are there any similar solutions (not using ActiveXObjects)?
Thanks,
krisy
Javascript (at least in a browser) does not provide socket support (hence the use of an ActiveX object in the example you cited). Nor does it have the low-level type conversions that would be required for implementing a client. So even if you were to work out the mysql protocol (see mysqlproxy as well as myqld and the standard client libs).
So unless you want to write your own browser, you'll need to think about some sort of bridge between javascript and mysql.
A further issue is that most people wouldn't want to give direct DML facilities at the client - so even if you're currently connecting across a VPN, then you need to spend a significant amount of time thinking about authentication and session management.
There's some discussion about database abstraction here and in other places.
If it were me I'd be thinking about AJAX/JSON from javascript to the bridge, bridge running somewhere close to the mysql DBMS and implemented in a language with native mysql support (e.g. Perl, PHP) which provides for session support over HTTP.
HTH
So, we want to move out from Air (Adobe stopping support and really bad implementation for the sqlite api, among other things).
I want to make 3 things:
Connect with a flash (not web) application to a local mysql database.
Connect with a falsh (not web) application to a remote mysql database.
Connect with a flash (web) application with a remote mysql database.
All of this can be done without any problem, however:
1 and 2 can be done (WITHOUT using a webserver) using for example this:
http://code.google.com/p/assql/
3 can be done using also the above one as far as I understand.
Question are:
if you can connect with socket wit mysql server, why use a web server (for example with php) to connect like a inter connectioN? why not connnect directly?
I have done this a lot of times, using AMFPHP for example, but wouldn't be faster going directly?
In the case of accessing local machine, it will be a more simple deploy application that only require the flash application + mysql server, not need to also instal a web server.
Is this assumption correct?
Thanks a lot in advance.
The necessity of separate layer of data access usually stems from the way people build applications, the layered architecture, the distribution of the workload etc. SQL server usually don't provide very robust API for user management, session management etc. so one would use an intermediate layer between the database and the client application so that that layer could handle the issues not related directly to storing the data. Security plays a significant role here too. There are other concerns as well, as, for example, some times you would like to close all access to the database for maintenance reasons, but if you don't have any intermediate layer to notify the user about your intention, you'd leave them wondering about whether your application is still alive. The data access layer can also do a lot of caching, actually saving your trips to the database, you would have to make from client (of course, the client can do that too, but ymmv).
However, in some simple cases, having an intermediate layer is an overhead. More yet, I'd say that if you can, do it without an intermediate layer - less code makes better programs, but all chances are for that you will find yourself needing that layer for one reason or another.
Because connecting remotely over the internet poses huge huge huge security problems. You should never deploy an application that connects over the internet to a database directly. That's why AIR and Flex doesn't have remote Mysql Drivers because they should never be used except for building development type tools. And, even if you did build a tool that could connect directly, any descent network admin is going to block access to the database from anywhere outside the DMZ and internal network.
First in order your your application to connect to the database the database port has to exposed to the world. That means I won't have to hack your application to get your data. I just need to hack your database, and I can cut you out of the problem entirely because you were stupid enough to leave your database port open to me.
Second most databases don't encrypt credentials or data traveling over the wire. While most databases support SSL connections most people don't turn it on because applications want super fast data access and they don't want to pay for SSL encryption overhead blah blah blah. Furthermore, most applications sit in the DMZ and their database is behind a firewall so between the server and the database is unlikely something could be eavesdropping on their conversation. However, if you connected directly from an AIR app to the database it would be very easy to insert myself in the middle and watch the traffic coming out of your database because your not using SSL.
There are a whole host of problems doing what you are suggesting around privacy and data integrity that you can't guarantee by allowing a RIA direct access to the database its using.
Then there are some smaller nagging issues like if you want to do modern features like publishing reports to a central server so users don't have to install your software to see them, sending out email, social features, web service integration, cloud storage, collaboration or real time messaging etc you don't get if you don't use a web application. Middleware also gives you control over your database so you can pool connections to handle larger load. Using a web application brings more to the table than just security.
Let's say that you have a standalone application (a Java application in my case) and that this application has a configuration file (a XML file in my case) where you store the credentials (user and password) for a bunch of databases you need to connect.
Everything works great, but now you discover (or your are given a new requirement like me) that you have to put this application in a different server and that you can't have these credentials in the configuration files because of security and/or compliance considerations.
I'm considering to use data sources hosted in the application server (a WAS server), but I think this could have poor performance and maybe it's not the best approach since I'm connecting from a standalone application.
I was also considering to use some sort of encryption, but I would like to keep things as simple as possible.
How would you handle this case? Where would you put these credentials or protect them from being compromised? Or how would you connect to your databases in this scenario?
I was also considering to use some
sort of encryption, but I would like
to keep things as simple as possible.
Take a look at the Java Cryptography Architecture - Password Based Encryption. The concept is fairly straight forward, you encrypt/decrypt the XML stream with a key derived from a user password prior to (de)serializing the file.
I'm only guessing at what your security/compliance considerations require, but definitely some things to consider:
Require strong passwords.
Try to minimize the amount of time that you leave the sensitive material decrypted.
At runtime, handle sensitive material carefully - don't leave it exposed in a global object; instead, try to reduce the scope of sensitive material as much as possible. For example, encapsulate all decrypted data as private in a single class.
Think about how you should handle the case where the password to the configuration file is lost. Perhaps its simple in that you can just create a new config file?
Require both a strong password and a user keyfile to access the configuration file. That would leave it up to the user to store the keyfile safely; and if either piece of information is accidentally exposed, it's still useless without both.
While this is probably overkill, I highly recommend taking a look at Applied Cryptography by Bruce Schneier. It provides a great look into the realm of crypto.
if your standalone application runs in a large business or enterprise, it's likely that they're using the Lightweight Directory Access Protocol, or LDAP, for their passwords.
You might want to consider using an LDAP, or providing hooks in your application for a corporate LDAP.
I'm considering to use data sources hosted in the application server (a WAS server), but I think this could have poor performance and maybe it's not the best approach since I'm connecting from a standalone application.
In contrary, those datasources are usually connection pooled datasources and it should just enhance DB connecting performance since connecting is per saldo the most expensive task.
Have you tested/benchmarked it?