Topic
  • 2 replies
  • Latest Post - ‏2012-11-08T14:56:22Z by SystemAdmin
SystemAdmin
SystemAdmin
2327 Posts

Pinned topic SQL Adapter Security Clarification

‏2012-11-06T17:08:35Z |
I tried doing some research via the documentation and previous posts in the forum, but I wanted to make sure I am understand the SQL adapter's security implementation:

1) The SQL Adapter lives in the server, no part of it is on the phone. So if I crack open a .apk or .ipa I wouldn't see the SQL commands or database location/username/password.

2) When I call a SQL Adapter's procedure the only data moving between the device and server are the parameters of the procedure and the JSON response.

3) All the security I need to implement for best practices would be HTTPS/SSL to make sure the calls in #2 are not just plain text traveling around.

Am I missing anything from my end that I would need to implement security wise? Am I missing anything in my understanding of how the Adapter and phone communicate?

For background, the app we are building doesn't do anything mission critical, nor do we handle personal information apart from e-mail addresses, we just want to make sure someone can't inject their own SQL statements or get access to our SQL code and modify it for malicious purposes.
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: SQL Adapter Security Clarification

    ‏2012-11-07T16:10:37Z  
    I'm not a security guy so you may want a second opinion.

    1) The SQL Adapter lives in the server, no part of it is on the phone. So if I crack open a .apk or .ipa I wouldn't see the SQL commands or database location/username/password.

    Correct.

    2) When I call a SQL Adapter's procedure the only data moving between the device and server are the parameters of the procedure and the JSON response.

    Correct.

    3) All the security I need to implement for best practices would be HTTPS/SSL to make sure the calls in #2 are not just plain text traveling around.

    No, that would only stop eavesdroppers packet sniffing on your network from seeing requests and responses in plain text between the mobile app and the WL Server.

    You should sanitize user input, don't blindly trust the parameters to come in to the Worklight Adapter. Here's an article regarding SQL Injections:
    http://www.unixwiz.net/techtips/sql-injection.html
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: SQL Adapter Security Clarification

    ‏2012-11-08T14:56:22Z  
    I'm not a security guy so you may want a second opinion.

    1) The SQL Adapter lives in the server, no part of it is on the phone. So if I crack open a .apk or .ipa I wouldn't see the SQL commands or database location/username/password.

    Correct.

    2) When I call a SQL Adapter's procedure the only data moving between the device and server are the parameters of the procedure and the JSON response.

    Correct.

    3) All the security I need to implement for best practices would be HTTPS/SSL to make sure the calls in #2 are not just plain text traveling around.

    No, that would only stop eavesdroppers packet sniffing on your network from seeing requests and responses in plain text between the mobile app and the WL Server.

    You should sanitize user input, don't blindly trust the parameters to come in to the Worklight Adapter. Here's an article regarding SQL Injections:
    http://www.unixwiz.net/techtips/sql-injection.html
    Thanks a ton! That's actually exactly what I was looking for. Thanks for pointing out the SQL injection, I had totally skipped that in my mental list!

    Ralph Pina