Codename one Application Network Security & Other Questions - codenameone

I have implemented one enterprise application using codename one framework but the application is accepting a self signing certificate from trusted CA, which is know as a certificate pinning vulnerability.
So, How can I disallow the application to accept all certificates such as
org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER ?
And also how can I remove permission WRITE_EXTERNAL_STORAGE and I have also observed there is one unknown permission is there com.google.android.c2dm.permission.RECEIVE. How can I remove this ?
Moreover, How can I disabled debuggable flag for android in codename one and how to protect binary so that no one can reverse-engineered.
Thanks,

Codename One applications are obfuscated by default and harder to reverse engineer than typical native apps as we don't use the XML format that's rather easy to reverse engineer. Debuggable flag is also disabled for the release version which we build by default unless you explicitly stated otherwise in the settings or didn't set a signing certificate.
WRITE_EXTERNAL_STORAGE is a special case permission we add by default for compatibility with older versions of Android. You can disable it using the build hint android.blockExternalStoragePermission=false. The other permissions are added based on API usage as described in the developer guide.
Certificate pinning (or SSL pinning) was implemented since the question was originally asked see this post.

Related

Turning off android.permission.INTERNET in CodenameOne

At http://www.codenameone.com/blog/androids-permissions.html, it says this about internet permissions:
android.permission.INTERNET - this is a hardcoded permission in Codename One, the ability to connect to the network is coded into all Codename One applications.
Is it possible to turn this off or override it? The wording suggests otherwise. But I'm writing the rare application that has no need to access the internet. This will be obvious to my users as well. So when my users try to install my application, they may think it's asking for internet access to pass on marketing information. I'd rather not ask my customers for any privileges that I don't actually need.
You can use the build hint android.removeBasePermissions=true
This is covered here.

What are the benefits of running Kerberos with an authorization-backing server like LDAP/Active Directory/SPNEGO?

I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
One login for all systems
Transparent subsequent login
Ciphered ticket exchange, even full transport encryption is possible
Delegation of credential is supported out of the box
Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.

Windows Phone Phone Capabilities used by Application

I have a class library which is a set of helper classes to develop windows phone 7 applications.
One of core helper classes I have in this library is responsible to provide location service functionalities, so it uses ILocationWatcher and references to System.Device.
Now the problem is even if I don't use this helper class (i.e. LocationWatcher will never be started) after submitting the app in marketplace, it shows "Location services" as one of capabilities my app is using.
I believe the way marketplace detects this, is more or less analysing all codes and libraries within the project.
How can we somehow override this behaviour?
Capabilites are detected using static analysis when your xap is submitted to the marketplace.
The location capabiltiy is reported if you reference the assembly System.Device and use the namespace System.Device.Location.
All assemblies in your XAP are analysed. Even ones you get from 3rd parties.
If you don't want the capability to be reported in the marketplace then remove the references which triggers its detection.
You may want to consider how you structure your shared/common libraries/code with this in mind.
You can check your used capabilities with the free capability detection tool supplied with the second Mango SDK beta. If you use location without defining it at the WMAppManifest.xml, the user will get a "Access denied" message and your app will throw an UnauthorizedAccessException. Afaik there is no possible way to circumvent this behaviour. It is meant as a security feature to warn users before they install a app so they can check on marketplace what features the application will want to use.
I don't believe it is analyzing the code. Rather it is using the manifest's Capabilities section to determine what is required. You can learn more about that section here:
http://msdn.microsoft.com/en-us/library/ff769509(v=vs.92).aspx#BKMK_Capabilities
Does the application's manifest include ID_CAP_LOCATION? If it does, and you aren't using it - it can safely be removed.

Can Google App Engine ever support SSL with custom domains (i.e. with Google Apps)? [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Does Google App Engine support SSL for apps hosted as mydomain.com?
I know that GAE does not support this yet, but is there any reason it can't be done? If they can add support, I'd assume they're working on that. Have they said anything about this publicly?
There are a few different ways they might choose to handle this, including automatic IP address re-routing and SNI. It has been one of the most requested features for well over a year, and very recently, they officially put it on their Product Roadmap. It was also mentioned in their App Engine for Business announcement.
SSL for custom domains is supported for tests since October 2011.
Update:
Full description of SSL for a Custom Domain.
App Engine has now launched SSL for Custom Domains. You can choose from either SNI or VIP based SSL. Wildcard and multi domain certificates are supported which allow you to use your certificates across multiple applications and domains.
They can - there is no technical reason why not, especially with newer TLS versions (RFC 4366) which support virtual hosted SSL/TLS. Before this point an SSL session required a dedicated IP per certificate.
There is no such support at the moment but it's noted in the roadmap for upcoming releases.
You can run SSL on your custom domain by using a third-party service. Here's a HOWTO I wrote up explaining how to do it using CloudFlare:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
They found an interesting way around the one-cert-per-IP address. Since they register the certificates, they register each cert with 20+ domains on it. That way they multiplex 20 different domains on a single IP address.
At any rate, we use it at Voost and we're pretty happy with it.

How do I verify the host server's certificate in Silverlight?

I am concerned with MITM attacks in the Silverlight application I am writing. The site will be running over SSL. If my site is the victim of a MITM attack, as far as I know, my only defense right now is the warning page the browser displays when the site's certificate is untrusted. Since it is only a browser, the best it can do is simply warn the user and then let them through anyway. User's can be click happy, and tend to not read things. Therefore, chances are they will read this warning, scratch their head, and continue on to the site. My thought was that since I am writing a robust Silverlight application, I should be able to either detect if the browser is seeing a certificate error, or perform that same verification that the browser performs. Then if I determine that there is a problem, I can simply lock down my entire app so that the user does not expose any critical information to the MITM. The problem that I am having is that I can't seem to find the right classes in Silverlight's limited subset of .NET to do what I need to do. Does anyone know how I can accomplish this goal, or a different way around this issue?
This isn't possible as far as I know - Silverlight uses the browser's networking stack, and as a result relies on its networking warnings and security infrastructure.
Silverlight 3 added a new networking stack, but I believe that in general the same applies: your host server's certificate is validated when the .xap (Silverlight application) is downloaded by the browser, and not something you can check or interact with in code.
IMHO You may check the certificate that is stored locally since browser will save a copy of it after SSL request.
Check out this article. I hope it will give you some hints

Resources