What's the best way to ensure privacy during communication between Cordova based mobile app and web server?
Question
I've built a mobile app based on Cordova, for both iOS and Android, i need to make secure communication between app and server. Request to server, in javascript, are like this:
request.open("GET", 'http://url/service?firstElement='+elem+'&secondElement='+elem2, false);
I've tried to use RSA encryption generating public and private key locally using pidCrypt libraries, the 2048bits key requires too long time to be generates, so i've used 512bits. The server is not be able to decrypt the message.
I'm looking for a better solution.
1 answers
solution1
0 2014-09-09 10:29:56
Try Using Send Ajax Request, Like This. I assume that you use php for Dynamic code (Server Side).
Here is Sample of HTML file which presant on your cordova, phonegap directory.
<form method = "post" action = "#!">
<div class="col-md-4">
<span class="help-block">Name</span><input type="text" name="username" class="form-control" />
</div>
<br>
<div class="col-md-4">
<span class="help-block">Password</span><input type="text" name="password" class="form-control" />
</div>
<input type = "submit" value = "Save" class = "btn btn-success right" onClick="UpdateRecord();"/>
</form>
<script>
function UpdateRecord()
{
var name = $("[name='username']").val();
var host = $("[name='password']").val();
jQuery.ajax({
type: "POST",
url: "php/login.php",
/* Or */
/*url: "https://www.yoursite.com/page",*/
data: "username="+ username+"& password="+ password,
dataType: "html",
cache: false,
success: function(response){
if(response == 'true') {
$.session.set("myVar", username);
window.location.href='profile.html';
}
else {
$("#errorMessage").html("Invalid Entry, Please Try Again");
}
}
});
}
</script>
And PHP File for Handle Query.
Please Not that code is not tested and it may change as per your need. You can perform any encryption method and use any function here.
<?php
include 'config.php';
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
if(!empty($username) && !empty($password))
{
//$result = mysql_query("SELECT * FROM ".$db.".users WHERE username='$username' and password ='$password'");
$result=mysql_query("select * from ".$db.".users WHERE email = '$username' ");
while($data = mysql_fetch_row($result))
{
$original_password = $data[3];
$salt = $data[4];
$hashedPass = sha1($salt.$password);
$fullusername = $data[16]." ".$data[17]; // Used Only for create full name session
if ($original_password == $hashedPass)
{
$_SESSION['username'] = $fullusername;
$_SESSION['useremail'] = $username;
$_SESSION['UserID'] = $data[0];
echo 'true';
}
}
}
?>
Edit
request.open("GET", 'http://url/service?firstElement='+elem+'&secondElement='+elem2, false);
Avoid to use GET method while sending sensitive data.
Edit, Helpful Link
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.