This only solves the problem on one front, however. My solution to make appinventor apps incapable of using tinyWebDBs that do not belong to them is to add an optional property to the tinyWebDB component. A "servicePassword" property that is sent with the Post request for storing data in the DB.
Here is that post request, the change I would make is in bold:
WebServiceUtil.getInstance().postCommand(serviceURL,
STOREAVALUE_COMMAND,
Lists.<NameValuePair>newArrayList(
new BasicNameValuePair(TAG_PARAMETER, tag),
new BasicNameValuePair(VALUE_PARAMETER, JsonUtil.getJsonRepresentation(valueToStore)),
new BasicNameValuePair(PASSWORD_PARAMETER, servicePassword),
myCallback);
I would also add the code to add the property for servicePassword, of course.
The main.py code then just has to have a simple if statement that checks if the password is correct, like so:
class StoreAValue(webapp2.RequestHandler):
def post(self):
if self.request.get('password') == master_password:
tag = self.request.get('tag')
value = self.request.get('value')
self.store_a_value(tag, value)
.....
The self.request.get('password') is the same thing that gets the password from the html password inputs I added.
This method of adding security could also be done for GetValue as well. But for now I am not quite as concerned about people seeing my database as I am about people storing and deleting my data.
Thoughts? Questions? Concerns? Etc...???
-Alan Jackson