I have no idea how to even start doing this but how do I detect if a user is using a mobile device/browser and if so send them to a different URL?
There are many different ways to achieve this, including Server-Side and Client-Side solutions.
For the Server Side detection, you can parse the User-Agent String that is send to the Server. Depending on what programming language you are using, there may be libraries available that do this for you and return something like mobile True/False. You can then send a redirection header to send the user to the mobile site.
For Client Side detection see this question here: What is the best way to detect a handheld device in jQuery?
Related
I have some content in AEM and I am planning to export those content into mobile app(react) in headless way. I am using AEM content as service, sling content exporter(Jackson) to export the content.
For example, http://localhost:4502/content/we-retail/language-masters/en/course.model.json will export some content to frontend application(react mobile app). I want to protect this API call and I should return the json response only to my frontend application(react mobile app)
Basically I want to validate who is calling AEM. In this case I want to allow only mobile(react) to call AEM and want reject all others. How do I protect my AEM content ?
The one way I am thinking is to use Apache sling referrer filter in AEM. Referrer filter will reject the request if we are not allowing the mobile app (react ) in "Allow Host". Is this correct way to handle? if there any other best way to handle this? how about using Adobe granite OAuth 2.0 server ?
Please suggest me what are the available option to protect the content in headless.
As you give the App away (and it is based on JavaScript), you cannot get full security. Attackers could use a jailbroken phone and debug or de-compile your app. But you can easily secure your API in a way, that nobody can “accidently” find the entrance. Nor the average hacker can gain access.
The simple approach = SSL + Basic Auth
Make sure, that your site is only accessible via https (= SSL). Then just add a Basic Auth password, which is hard to guess. This is simple to implement (on Dispatcher and in the App), and developers/operators could still test the API. Only make sure, that the password is obfuscated in your App. So, don’t store it as plain text. A simple XOR encryption is probably enough.
The advanced approach = SSL with client-certificates
Instead of a Basic Auth password, you could use an SSL client certificate (implement that also on the Dispatcher, and NOT in AEM). This is probably a little bit over-engineered, and it can still get lost. But now the attacker must de-compile your App to extract the certificate. The Basic Auth password could theoretically be “found” in other ways – or it could be attacked with brute force.
PS: In both cases you need to monitor your API with some intrusion detection. And you must be able to distribute new passwords or client certificates to legitimate clients.
PPS: Mobile Security is a huge topic. This could not be handled in a StackOverflow question. But to stop script-kiddies from crawling your API, the simple approach is probably good enough.
How do Mobile Apps communicate with a server? Does this communication happen over HTTP or are there other methods (for instance, I guess a mobile app could open a socket)? Does this differ form device to device? Is there one most commonly used approach? If the communication happens over HTTP how do the URLs look like? Is there a way to identify the app based on the the "User Agent" in the HTTP request if the communication is happening over HTTP?
Mobile Apps can communicate with a server in many ways. Mobile apps can also use other features of the mobile. For instance SMS , MMS. Its pretty open really. Your question could be "how do computers communicate with a server?".
A mobile app can be a simple as loading a web page. This would be http.
The problem with mobile apps. They run on phones. There are lots of different phone manufacturers and its up to them (in some case the mobile phone operators also have weight) what to allow the programmer to do by the choice of operating system.
If you are getting started with mobile apps. Take a look at android its pretty simple to get going with if you know a little about programming.
As for the useragent. It depends but usually if you are using the http api on the phone, you can set the user agent to what ever you want it to be, its just a string.
Hope this helps!
Communication usually happens over http. Applications usually identify themselves in the User Agent field
I'm developing a web based application built on codeigniter which will also have a mobile application(blackberry, iphone, android etc.). The web application will be connecting to a (mysql) database to store/retrieve/update data. I would like to know what would be the best solution for having a mobile application store/retrieve/update data.
Taking into consideration performance, flexibility, Security
Look at your device no different than if it was a browser. The are both clients. All devices (well at least Android and iOS) provide you with ways to make xhr requests, just like your browser does. So you need an API on your server that your device will use to get the data. Note that if your application does not already have an API, you will need to develop one.
I would like to build a mobile application with the following requirements:
The mobile client applications should request and recieve data from a database on a server.
In the future I will probably want to build a web application for the same database.
For communication between the clients and the server I would like to use Google Protocol Buffers.
So I have the following questions:
How does one set up a server to take request and respond with anything other than html. I think that using RPC sounds nice, but I have no clue how to set it up on a server.
I need to find a good web hosting service which will allow me to set up a database and a server that can serve both Google Protocol Buffers and regular web pages with data.
Before I get to making the web app, is there any more lightweight solution that might be better just for communicating with the clients (maybe even a home made tiny server), and how hard would it be to do it with a full scale web server from the start?
Please point me in the right direction so I know what to read up on.
I'm not necessarily looking for specific names of web hosting services but rather an idea what kind of services are available that might meet my needs. I've worked a little bit with django, Spring and Java EE so if there's any solution involving those that would be great, however I'm not afraid of learning something new.
Thanks in advance
Simon
if you still mean http, that is pretty trivial - you simply set an appropriate content-type, and write your data to the response stream. The exact how depends on your web framework and tools, but this is no different to (say) serving generated images on the fly. HTTP requests function fine for messaging scenarios - as simple as making an http request (typically POST) with a protobuf (etc) body, and processing the response in the same way.
can't comment
a web app can be lightweight; certainly more-so than having to configure a non-http service/daemon. The "lightweight" option would be raw sockets, but that is harder to deploy, and you'll have to be more picky choosing a host. Unless you absolutely need this level of terseness (i.e. dropping the http headers and writing your own transport to get close to the wire), just stick with http - it'll be a lot easier to get going and maintain
For info, I have a blog post on doing this with ASP.NET MVC; this isn't intended to mean "do this" (heck, use whatever tools help you) - simply, it is meant to show the kind of thing necessary.
Is it possible in a GSM mobile phone OS (e.g. Android, Win Mo, Symbian, etc.) to have some kind of background task or application able to exchange data at the same time with a web server and a secure element of the mobile?
The purpose if for the web server to be able to push APDUs to the secure element (an retrieve response APDUs) without activating the IHM of the mobile.
NB: I know that this is possible when the secure element is the one managing the GSM baseband, for example using BIP as described in Ulysse specifications. My question is only when using another secure element (e.g. Java Card in a microSD).
Sorry, I used the French acronym "IHM" in place of "MMI" (man-machine interface).