Use of HTML5 gives developers new horizons in animation implement for their websites. There is no need to use outdated Flash technology or to overload traffic with large images, you can simply familiarize with a few norms of creation of motion interpretation by canvas redraw.
In this, our final article in our series on the essentials of Application Security, we will be looking at Insufficient Transport Layer Protection. This occurs when an application has failed to properly encrypt network traffic, which means that confidentiality and overall integrity has been compromised. ITLP also covers the times when applications network level security is weakened; this can be because of flaws in algorithms, improper use of certificates and use of security certificates which have expired.
All of these factors will reduce the effectiveness of any Secure Sockets Layer (SSL) and Transport Layer Security (TLS) which you have put in place as a part of the application’s development.
If you are unfamiliar with either TLS or SSL then now is the time to acquaint yourself. TLS, and SSL before it, is used to add a layer of security to all traffic which has gone through an authentication process – i.e. when you have logged into a website or application, TLS will protect any data which is sent over the network for the duration of the session. SSL certificates are installed on the relevant servers and are in place to act as verification that the site or app to which the user is connecting is genuine.
In this next article in our ongoing series on the future for application developers, we now turn to applications which are commissioned and made for business. The stereotypical image of a businessman with both his suitcase and email-enabled phone hastiled checking, reading and replying whilst on the go.
In more recent years this technology has evolved to include programs and applications which have revolutionised video conferencing – with meetings now taking place where none of the participants are in the same country, let alone the same room.
There has also been an increasing shift towards ‘24 hour working’ where business people are working as and when they can, rather than according to pre-set business hours. Businesses are run from people’s home offices, multimillion pound companies have only a handful of employees and it is becoming easier than ever to locate and work with partners and contractors across the globe.
A significant proportion of this rapid expanse and radical shift can be put down to the ever-faster (and indeed cheaper) broadband and 4G connections which we now have access to. It is also down to the fact that businesses are now challenging traditional concepts of ‘how it should be done’ and are instead trying new and radical means through which they can make money.
All application creators and developers are now in a position where they can provide a service to businesses that will soon become invaluable. Although some older and larger companies are still reluctant to give over control to new technology and to break away from traditional methods of communication.
Whilst this can seem to be counterproductive, it can often be due to the reasonable argument that there is simply not the ‘right’ application […]
In our recent article, we looked at the question of whether or not an increasingly saturated application market is leading towards an application ‘crash’. There is a strong argument to be made that developing for niche markets is the way forward if companies and developers are to be successful.
The rapidly decreasing costs of technology has meant that a larger number of educational institutions are investing in application based technology. With a particular focus on tablet computers and touch-control technology.
The reasons for this are twofold. Firstly; touch screen interfaces are by definition a visual medium and therefore lend themselves to simpler pictorial recognition, where complex linguistic understanding has not yet formed, or been able to form. As such, even children working at the lowest level are able to have their learning enhanced through technology. Applications which are built around the recognition of like for like images i.e. matching shapes; allow educators to use technology to provide much targeted tasks and assessments.
Secondly; a touchscreen interface is ideal for building the vital motor skills which form a fundamental building block of any child’s learning. Whereas writing with an pen and paper, or using the standard mouse and keyboard layout, requires of a child not only a high level of control and dexterity but also a level of hand-eye co-ordination that is simply far too advanced for those working at the lowest levels.
A touchscreen interface where the child is able is make logical connections between what they touch which their hands and what happens on screen, means that they can learn and develop skills and understanding which otherwise would be far beyond them.
Where then, does this leave developers and innovators of […]
How to keep producing relevant software:
Every new technological advancement brings with it opportunities for new and existing companies and creators to push the boundaries of what is possible as well as making money in the process. The most successful creators are those who deliver something innovative and exciting to consumers which provides a new service or form of entertainment which they not previously considered.
In the seven years since smartphones first became a realised technology, there has been a brand new branch to digital technology, namely mobile applications. This is a market which has only been strengthened by the rise in tablet computing and the drive towards apps for productivity as well as for entertainment.
The marketplace for applications has been growing exponentially and has breathed new life into the portable gaming industry. The revenue streams from applications come largely from either the small fee which users pay to purchase the app or from advertising within free applications. There has also been a trend in recent years towards ‘in-app’ purchases. Whereby users can play a game entirely free but they are given the opportunity to purchase additional extras which can better enhance their experience.
The financial success of applications comes from the fact they are often very cheap to buy, and where in-app purchases are made, these too are built on the ‘small but often’ model of users spending small amounts of money on repeated occasions over an extended period of time.
This is a model which has worked extremely well up until now, but is there a tipping point looming? There has been some evidence that users are tending to use their devices less than […]
We have already looked at how applications which use external references to a browser can be vulnerable to attacks (see Unvalidated Redirects and Forwards). With Cross Site Request Forgery you are dealing specifically with an application which sends HTTP requests to the user’s browser, as a part of its day to day functionality. External URL requests are, as we have previously discussed, a risk because they take the user outside of the boundaries of the application. This means that the level of control which you as a developer have is immediately impeded. However, there are still a number of steps you can take to prevent cross site request forgery.
In essence, CSRF forces the user’s browser to request fraudulent HTTP requests which the application believes to be genuine. As this is an attack which targets users who are logged into the application, it immediately opens them up the potential for data to be stolen by the attackers through what appears to be a genuine request by the application.
Any application which uses links to initiate a change of data is vulnerable to cross site request forgery. This is particularly prevalent with multi-step transactions i.e. where a user has to click through several different requests in order to carry out the task which they are attempting to achieve. You should consider any request as potentially being one which could be forged by an attacker and which would not be detectable by the application.
A good example would be thus; the application stores information about the user and they are able, when properly authenticated to make changes to their personal data. The effect which CSRF has to cause the […]
During the past month we’ve been focusing on improving NetLicensing, and today Labs64 team is pleased to announce the availability of NetLicensing version 2.0.
We hope you enjoyed Easter holidays, and are ready to try the new NetLicensing.
- LmBox renamed to Labs64 NetLicensing
- Introduced authentication via APIKey (token) for validation and shop access
- API extended with new functionality and attributes for better security and flexibility
- Improved shop checkout process stability
- Introduced new licensing model “Subscription” (“Time Volume”)
- NetLicensing Management console redesigned for better usability
- C# and PHP client libraries adapted to employ the new API features
- Service documentation revisited
- … and many other useful improvements
In the articles which we have already published on the topic of application security, there has been a recurring topic of proper authentication within the application. Applications are built in layers, with different degrees of access being granted to different users; depending upon whether their credentials have been correctly authenticated. Obviously the primary access to the application should be as secure as possible, with timeouts, secure password policies etc. This article will look at the need for secure references within the application.
A direct object reference is when the developer exposes a reference to an internal ‘object’ within the application. Essentially, when the code points to one of the ‘parts’ which makes up the app. These include the numerous ‘building blocks’ of applications such as specific files, database keys and internal directories. All of these are necessary aspects to make the app work properly for the end-user. The danger which you face by having Insecure Direct Object References is that an attacker can easily modify the parameter’s which have been generated in their browser to access confidential data.
For example; say you have a secure database which stores payment information for your users, this is done for their convenience and to increase their overall ease-of-use if the application is often used as a step in making financial purchases. This could also apply where customers have submitted other personal information, for you to use in providing them with a better experience. If the application uses a SQL call but the initial data is unverified (i.e. user credentials) which is then used to access this account information, attackers can exploit the insecurity in the parameter to access details from any account.
The effect which this can […]
Mobile payment systems are taking root around the globe, reaching major retailers and coffee shops as well as the single-store small and mid-sized boutiques that dot the landscape.
Payments through mobile card-reader apps are currently available from 40% of small and mid-size businesses, or SMBs, according to researcher BIA Kelsey. That number is expected to rise to more than half of SMBs by the end of 2014.
The current trend of using mobile devices to read credit cards is expected to further evolve, however, removing the need for physical cards and eventually your billfold.