App is being Hacked!

Someone is hacking my app! I think they are manipulating the REST API to hack my app. They essentially have full control over it and are creating and deleting accounts and posting things in labels etc.
1 person has
this question
+1
This topic is no longer open for comments or replies.
  • Hello Russ,

    Have you shared your app with someone?
    This should not be possible if you have not granted access to app.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Alena,

    I have published the app to the Google Play store and I have also published it as a web app via appery's web publish feature.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hello Russ,

    Could you please clarify, have you limited access to your database somehow?
    http://devcenter.appery.io/documentat...
    http://devcenter.appery.io/documentat...
    And perhaps to some codes/passwords if they are in the code
    http://devcenter.appery.io/documentat...

    If you didn't take care about security, then looking at the source code of the website, someone can see the Database-Id and using it he can make any requests to the database
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • What would be the best way to try and secure my database? I have looked at the "Secure Collections" but if a user creates an account then they would have a "session key" and would have access to the database anyways correct? I also looked at the secure REST but from the documentation page I could not figure out how to implement the secure REST.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Hi Russ --

    You can control all users login process on the server side, but this will need your own custom implementation.

    Could you please describe what exactly is not clear in secure REST documentation?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • I just cant deduce how the secure rest works from the documentation. I cant figure out how to implement it.

    Essentially I need to be able to hide my database ID from the users so that they cant make random queries.

    Do you know of an example or tutorial about how to do this or about how to implement the server side code like you suggested?

    Thank you for you time and help!
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Hi Russ,

    Unfortunatly secure rest could not be used with URL parameters like DB id in REST queries..

    If this information DBID is critical for you, it's available to implement server code that will translate your request to known only in this server code dbid..

    See details here: http://devcenter.appery.io/documentat...

    Secure REST useful when you need to invoke REST API with some common secure information like API keys.

    For example: you need call google maps geocoding. And this API require some KEY that is common for all your users and not device-specific.

    You don't want store this KEY in app (cause of it could be grabbed from app by disassembling).

    In this case you should use Appery.io secure REST.

    In app you can use "{parameterName}". This request sends to the Appery.io proxy when secure system will replace this "{parameterName}" by value stored in your database.

    Thus no one could not get this KEY from your app event when will disassemble it.

    Also please try to pass this tutorial http://devcenter.appery.io/documentat... to understand how this mechanism work.

    Regards.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. indifferent, undecided, unconcerned happy, confident, thankful, excited kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Yurii,

    I think I understand what you are saying. For example I should use secure REST when I am using 3rd party API's. Also when I want to mask my appery database id I should use server code to do this?

    The issue I am having is someone disassembled my .apk and was able to find my appery database id and they were able to make queries and change all the data in my database. I would like to prevent this from happening again and if I am understanding you correctly you are saying I need to do this with server code?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Hi Russ,

    Yes if you want to hide "db id" you can use server code for this purpose.

    But you should know that hacker can use your server code "proxy" to access these collections. So you should implement some ACL yourself.

    Also i guess "secure collections" could be useful for you. Details: http://devcenter.appery.io/documentat...

    "Secure collections" allow to access only with session token.

    Also you can restrict access with ACL field. See details here: http://devcenter.appery.io/documentat...

    Regards.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Yurii,

    Do you know of a tutorial/documentation for hiding the "db id"?

    How should I prevent a hacker from using the proxy to access the collections?

    I cant really use ACL and secure collections because anyone can essentially create an "account" and once the have an account they would have a session token, and for ACL I need a collection of "Administrators" to be able to edit all the collection information as well as the specific user.

    I am trying to figure out a way to fix all of this before I publish my app again because the hackers ruined the app pretty bad once they got into it.

    Your help is greatly appreciated and thank you for your time!
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Hi Russ,

    ACL field in item - can fully determine access level.. How can read and how can write into this item.

    Unfortunatly there is no groups in appery.io ACL yet.

    But you can create "server script" proxy.

    This proxy will:

    1. Receive "userId" and "token".

    2. Verify "token" by getting user details.

    3. Get from user details "role" collumn. And define if this user has access to this requested collection and action in accordance to this server script ACL.

    4. If user has access - make request to know DB id.

    If you willing to implement it you can read more about server script here:
    http://devcenter.appery.io/documentat...

    Regards.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly sad, anxious, confused, frustrated happy, confident, thankful, excited indifferent, undecided, unconcerned