Comparing cross platform development tools

Apache Cordova (Phonegap) VS Appcelerator Titanium

The prominent leap in the world of development is cross platform development. The code written once can be built and run any where. This is greater advantage for both an developer and an business customer. From an business perspective, it saves the development cost and the time to release their product in all platforms . In the desktop application development Java played an very important role in platform independence. Now for the mobile development there are two solutions that provide their unique way for the cross platform development.They are Phonegap and Titanium Studio .

Phonegap

Phonegap is an opensource framework , which helps to develop cross platform apps using HTML,JavaScript and CSS. It supports nearly 7 platforms to build the app with. It also supports many tools and frameworks to develop the User Interface. The best ones will be sencha because it gives you the look and fell of a mobile application. Phonegap also allows you to use the phone features with its in-built API'S and enhance your application.

Appcelerator Titanium

On the other hand the Appcelerator Titanium develops native apps using JavaScript . It doesn't support CSS3. Without these two it gives a good performance . It compiles the code with their native IphoneSDK or JVM for android. It also supports more than 15 cloud services to connect your app .

Comparison between both

	Titanium	Phonegap
Java Script	Yes	Yes
HTML5	Yes	Yes
CSS3	No	Yes
DOM based JS	No	Yes
Native Code	Yes	Yes
Native UI Performance	Yes	Yes

My Dissertation Secure tablet application for portfolio managers

The ultimate aim of the project is to secure a tablet application that is used in the financial sector for transactions. This project will encounter the various security issues faced by mobile devices and attempts to provide one or more solutions to the threats. The project was initiated with the investigation of threats that could attack the tablet application. Though the evolution in technology has made many things possible, the most profound architectural challenge lies in the security of the system. It also puts the solutions into practice and displays a secure application for portfolio managers. The secure application will be encapsulated with different layers of security, so that even if the device is lost, the user can still secure his data from being used by unwanted users. The project on a whole looks at the security from developer and end user perspectives.

Application running on Android

Logout screen confirms to save

Same Application on IOS IPAD

The project begins with the analysis of various threats that could affect a tablet-based application. It mainly deals with storing a data securely in a tablet device, securing the inter process communications & avoid hacking its data by other applications. It also deals with the secure server interactions. The project also secures the “intent” messages & broadcast signals to avoid the hacking data by other applications. It ensures that even when the device is jail-broken (A jail-broken phone can be used with any service provider or can be updated independently from the device manufacturer) the person should have a password, to decrypt the data from the device. The user identity and access will be validated by an identity management server and authorized before they log on to the corporate server. The portfolio application will fetch the data from a JSON servlet and displays it on the tablet. So the project required that server communication be secured with SSL/TLS by authenticating both server and client using certificates. The data transferred will be done using JSON objects. Normally applications use 1-way SSL where the client usually verifies the server, however in this scenario a 2-way SSL encryption is used where both client and server verify each other. The application is restricted to communicate only with specific web servers. On top of all the above mentioned security, the application will connect via Virtual Private networks (VPN) based connectivity to the corporate network along with split tunneling, which ensures the best security for the project.

Securing Server Interactions

Securing server communications:

The android uses the standard way of communication (HTTPS) connection using the HttpsURLConnection class

HttpsURLConnection urlConn = new HttpsURLConnection("https://
clientaccess.example.com");

Once the connection has been made you can check the connection using the

getServerCertificates() which gives you the server certificate with the server name and other stuff. If the server certificates don’t match with the server connected, it brings out an exception and terminates that connection. The hostname verification can be done with 3 different interfaces.

AllowAllHostnameVerifier

This hostname verifier turns hostname verification off. As long as the certificate that is presented by the server is trusted comes from a trusted Certificate Authority . It just accepts regardless of the hostname and the URL match.

StrictHostnameVerifier

This hostname verifier is the same as the verification in the default. It checks the first CN present in the server certificate against the hostname specified in the URL and also checks all of the subject entries in the certificate for a match. Wildcards are allowed, but only up to one level. For example,*.example.com would match server1.example.com, but not server1.domain1.example.com.

BrowserCompatHostnameVerifier

This hostname verifier is just like StrictHostnameVerifier, but wildcards in the certificate name will match multiple levels. It accepts server1.domain1.example.com if you specify *.example.com.

In the above three verifications StrictHostnameVerifier has the more secure interaction with the server

HostnameVerifier newHV = new StrictHostnameVerifier();
HttpsURLConnection.setDefaultHostnameVerifier(newHV);

We can also verify and limit the server certificates by creating our own HostNameVerifier class and allow only few certificates that we need to allow.

Private client server communications:

Client side authentication

To have a private client server communications we ourselves generate a self signed certificate in the server which will be valid for one year and it will be stored in the certsjks in JKS format. We cannot use it directly in our android application so we need to convert it onto a BKS key store.Once the certificate is been produced we need to access in our application for the secure authentication. We use key store object to do it.

Key store for creating the server certificate.

KeyStore selfsignedKeys = KeyStore.getInstance("BKS");
selfsignedKeys.load(context.getResources().openRawResource(R.raw.selfsignedcertsbks),
"genericPassword".toCharArray());

When the key store loads the server certificate we call the trust manager to check it.

TrustManagerFactory trustMgr =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustMgr.init(selfsignedKeys);

The trust manager factory object will verify the self signed certificate.

Once we have the Trust Manager Factory, we can create the SSLContext that we will need to make SSL/TLS connections using our certificate.

SSLContext selfsignedSSLcontext = SSLContext.getInstance("TLS");
selfsignedSSLcontext.init(null, trustMgr.getTrustManagers(), new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(selfsignedSSLcontext.getSocketFactory());

Then we call the init () with 3 parameters. The client side keys, trust manager factory and the secure random.

Server- Side authentications:

The client will verify the server that it logs in but the server does not check to which client it communicates. When we work in a controlled environment the server needs to make sure it communicates with the correct device.

To do this we need to create a client certificate for the server to validate it and conform that it is communicating to the correct device. This should be done in the web server. The client certificate will be stored in the clientauthcertsBKS store .we have two key stones for the client and the server, so we now create a authenticated secure SSL/TLS connections.

Key store for the client certificate. The code remains the same but instead of trust manager we use key manager which sends the client certificate to the server for the client side authentication.

KeyStore clientauthKeys = KeyStore.getInstance("BKS");
clientauthKeys.load(context.getResources().openRawResource(R.raw.clientauthcertsbks),"genericPassword".toCharArray());
KeyManagerFactory KeyMgr=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyMgr.init(clientauthKeys, "genericPassword".toCharArray());

Then we create a key manager factory similar to the trust manager factory to generate the key manager which holds up the client certificates.

Next we will create a SSLContext for the same as we did for the server authentication.

SSLContext privateSSLcontext = SSLContext.getInstance("TLS");
privateSSLcontext.init(keyMgr.getKeyManagers(), trustMgr.getTrustManagers(),
new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(privateSSLcontext.getSocketFactory());

Once you have done with the SSL Context we have to call the init() with the 3 parameters

We use key manager as the first parameter , trust manager and then the secure Random function.

We now have an SSL/TLS configuration that restricts which server certificates

we will accept and includes client certificates that we can use to identify ourselves to those servers. By making use of these constructs, we can fully specify how we want our SSL/TLS communications to act for our application. The ability to specify both who we are willing to talk to and to whom we will identify ourselves allows the creation of private, secure communication tunnels that are both mutually authenticated and encrypted.

Android Application Security

Application Security Tips

The android architecture is a successor of Linux architecture, it uses the same security model. The android architecture has got several levels of permissions to which we can secure our application. To start with every application will have a unique id called user id (UID), created when installing an application. The applications run only on that UID. All permissions, data access, intent messages were sent using UID. We can configure the permissions to accept or reject the actions done by the application using the UID. The UID is unique and never gets repeated even when you install the same application in any other device.

The application also has a share user id which helps share the data of the application with other applications developed by the same developer. Each developer has got a digital signature and it bundled when you pack an application. The share user id uses the digital signature and verifies it and shares its data that application.

Configuring share user ID in Androidmanifest.xml

            <manifest xmlns:android="http://schemas.android.com/apk/res/android"

       package="com.sencha.portfolio"

       android:versionCode="1"

       android:versionName="1.0"

       android:shareUserId='com.sencha.portfolio.sharedUID" >

</manifest>

Adding the various permissions that your App can use can be determined in the following permissions tab.

Each activity or a process that an application runs can be made private to that process. By default that application will start that process with reference to the UID of an application. If two applications run a same process, to save time and memory we can share it using the share user ID concept.

each activity of your app can be secured in the same GUI

<activity

.

.

android:name="ActivityNumber95"

android:process=”com.sencha.portfolio.ShareProcessIDnumber”

</activity>

Android File system:

The application runs with its own UID and uses the same for the data storage as well. This design prevents the other applications to access this applications data. It creates the path of storage with the package name and the directory is assigned to the concern UID. This makes the data inaccessible to other applications. The assigned UID act as owner and has got all permission to read or write.

The application creates the files in the directory assigned and android allows specifying the permissions for the same. This can be done using the function call openFileOutput().

There are three levels of granting access to the files

1)MODE_PRIVATE

2)MODE_WORLD_WRITABLE

3)MODE_WORLD_READABLE.

To make your application more secure we need to use only private mode so that it can be accessed only by the concern application.

Barclay's Pingit Review

First of all kudos to the app developers. The idea of making a common app for any bank access is a very innovated development in the integration of various banks and their accounts. Barclay's have taken a wide step in this development. Lets move on to the app, The Barclay's Pingit has given a very rapid development in the recent days. Initially it had very limited facilities like checking balance and sending money,but now they had enabled the view to show the various transactions done with the accounts and a separate view for Pingit transactions.

The Version 1.2 of Pingit has improved a lot in the various options to see the bank transactions, local branch and share it with various friends. The GUI of the individual views (Bank transactions,show balance, Pingit transactions and other options ) were designed very well but the home view to all these options wasn't impressive. The user wont be given a clear view of various options available in the app.Couple of the options are hidden from the main view but still connected via the main view. The real estate of the user screen hasn't thought properly before the design. On a whole the views were assorted and user needs ample of time to understand the culture of the app.

With respect to the performance the app has given its best where it can. The transactions made through the Pingit is ultra fast and it reaches the receiver the next moment. The transactions are made through the mobile numbers connected to the respected accounts and bank. It has made it very easy and secure ,faster than anything. But often the app gets an error because of no connection with the server. Though the device has got enough of service provider signal it fails to make the connection with the server. The app works even in GPRS connections.

The Pingit app has got enough of security features enabled. It wont store any data in the card . All data directed to device memory . It just store the policy, phone number and app UID. In the latest version released it has crashed the whole app in blackberry device. and it holds up lots of memory. The App also runs in background which is major flows in the security. Any secure App will never be given permission to run in the background.This causes information threat.Even you dont exit the App it has to auto-close itself so that the data security can be maintained.

Tier Two Authentication Using OpenAM

The one time password usually generated with a RSA token device or nowadays it got developed with an application in a mobile that produces the one time password for the tier 2 authentication. The user login requires the token password which the RSA produces, but the users are forced to have the device with them always when they need to login. Once the token produces a password it cannot be reused. OpenAM offers a ready to use OTP based on authentication module to deliver the password via email or a text SMS. OpenAM ensures a hashed message authentication. The HOTP authentication module is configured to work as part of an authentication chain that includes a first factor authentication (Usual login credentials Username and password).The HOTP requires at least one authentication done before it delivers the OTP.

Steps to configure HOTP

Login to OpenAM Administrator console ->Access Control tab ->Realm->Authentication. Then Click on Module Instances ->New to create a Module instance. Assign a name to the HOTP. (HOTP)
Configure the HOTP authentication module properties.
Configure the authentication chain that includes HOTP authentication module.HOTP cannot be a primary(first ) authentication module.
Since it cannot validate the User with his credentials. To create an authentication chain goto the openam admin console select Access Control ->Authentication Chaining.Click New Assign a name and choose HOTP- module instance Required
Now the HOTP configuration is completed. Then create a user profile and add the details then for the telephone number. For a complete list of Email to SMS Gateways refer to:http://www.mutube.com/projects/open-email-to-sms/gateway-list/
Test drive the configured One-time Password based OpenAM authentication, by accessing the URL of the configured “Two-factor” authentication chain as follows:

http://openAMserver:port/opensso/UI/Login?service=Two-factor

Configuring HOTP authentication

Making HOTP as Authentication chain

Wonders of OpenAM

Here is my first blog about the various servers I work . Lets start with the latest one I was working, OpenAM the Single sign on server. With the help of OpenAM, a secure login with the corporate servers are made easy . It ensures that the user can login various applications accounts with the same user name and password. The user details irrespective of the applications are verified in the corporate servers and validated with the token .The OpenAM can also be configured with the LDAP for the data services.

Installing & Configuring OpenAM
pre-requirements

Apache HTTP server http://httpd.apache.org/download.cgi
Apache Tomcat server http://tomcat.apache.org/download-60.cgi
Reverse proxy the Apache tomcat application (OpenAM works only with a proper domain name. To access the OpenAM we need the access it via domain name i.e.it wont work with localhost:8080/openam. It works only with example.com/openam

Configuring the openAM

Download the OpenAM http://www.forgerock.org/openam.html
Retrieve the WAR file from it and place it in the webapps folder of the apache tomcat.
Start the Apache server
Open the browser and log into the local domain and connect to OpenAM via application server
http://127.0.1.1:8080/OpenAM

Click on the default config

Enter the password for the admin. Note : Default password should be different from policy agent password

configuration complete

Sad's Tech Update