Making A Safer TinyWebDB.

[alan jackson]

After using tinyWebDBs in appinventor for a while, and working as an intern (and mentoring for interns) making apps that will be put into public use, I noticed the lack in any form of security for tinyWebDBs. If someone were to know the serviceURL then they can not only go on the appspot page and mess with the data, but write apps that use the data as well. I made some edits to main.py and index.html for the TinyWebDB that makes it so a password is required to store or delete data.

This only solves the problem on one front, however. My solution to make appinventor apps incapable of using tinyWebDBs that do not belong to them is to add an optional property to the tinyWebDB component. A "servicePassword" property that is sent with the Post request for storing data in the DB. 
Here is that post request, the change I would make is in bold:

         WebServiceUtil.getInstance().postCommand(serviceURL,

                  STOREAVALUE_COMMAND,

                  Lists.<NameValuePair>newArrayList(

                      new BasicNameValuePair(TAG_PARAMETER, tag),

                      new BasicNameValuePair(VALUE_PARAMETER, JsonUtil.getJsonRepresentation(valueToStore)),

      new BasicNameValuePair(PASSWORD_PARAMETER, servicePassword),

                   myCallback);

I would also add the code to add the property for servicePassword, of course.

The main.py code then just has to have a simple if statement that checks if the password is correct, like so:

class StoreAValue(webapp2.RequestHandler):

  def post(self):

     if self.request.get('password') == master_password:

          tag = self.request.get('tag')

  value = self.request.get('value')

  self.store_a_value(tag, value)

    .....

The self.request.get('password') is the same thing that gets the password from the html password inputs I added.

This method of adding security could also be done for GetValue as well. But for now I am not quite as concerned about people seeing my database as I am about people storing and deleting my data.

Thoughts? Questions? Concerns? Etc...???

-Alan Jackson

[Sebastiano T.]

Hi Alan,

I played a bit with custom TinyWebDB and also modified the main.py for my needs.

I think your solution is very good, but I think that if you modify main.py to not expose any web interface to the DB you should be quite safe with your data, in fact you can read / write the DB only from developer console if you don't have the web interface.

Even if user will intercept the URL of your custom tinyWebDB service I don't think he can do much (for example just removing the "delete" button will help block users from deleting data)

The attacker should also know what tag you're using in your application, now, I am not an expert, but i don't think the tag is something easy to intercept if sniffing the traffic of your app.

This are my thoughts but as I said in the beginning I am not an expert on the subject.

[alan jackson]

I completely agree with that part, you can easily modify and disable parts of main.py to suite your needs for security. But that does not solve the problem of someone storing data in your database using appinventor. My solution is for users who don't know enough about programming languages to even begin understanding what anything in main.py does. I've heard of cases where someone left their tinyWebDB appspot page open and went to the bathroom, their friend sitting next to them took note of the link and then made an app that just wrote data into their webDB. And seeing how most advanced users of appinventor release their source code they might want to release the link to their appspot page with their app so other AI users can look at their data. This is where a password property would come in handy, it would let users look at the data, without being able to store data.