How safe is AppGini? How can it be made safer?

If you're a new user of AppGini, feel free to ask general usage questions, or look for answers here.
Post Reply
KSan
AppGini Super Hero
AppGini Super Hero
Posts: 252
Joined: 2013-01-08 20:17

How safe is AppGini? How can it be made safer?

Post by KSan » 2013-05-29 19:09

I was wondering... Out of the box we rely on MySQL security for core database. We have the MySQL credentials embedded into the PHP codes generated by AppGini. Then there is the AppGini security layer managing the front end access to data.

Has anyone done a serious security audit in the total picture?

Any best practices in securing the directories, PHP files with certain user rights to reduce risk profile?

Is out of the box installation secure enough to stand the nasties of the net?

Lastly, if there was a reason to do this, are there any solutions utilizing encryption coupled with AppGini?

Thanks for your input.

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2013-06-04 00:33

One of the best things you could do to enhance security is using SSL (so that you access your AppGini application using "https" rather than "http") ... I plan to add optional captcha login and/or editing in future releases to prevent brute force attacks. Current AppGini-generated code already takes care of preventing common attacks like SQL injection, XSS, ... etc. If you'd like to encrypt the data stored in mysql, you can use the before_insert and before_update hooks to encrypt incoming data, as well as _init hook to decrypt displayed data.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

KSan
AppGini Super Hero
AppGini Super Hero
Posts: 252
Joined: 2013-01-08 20:17

Re: How safe is AppGini? How can it be made safer?

Post by KSan » 2013-06-04 00:35

Good ideas. I don't have an urgent need for an encrypted site but it would be nice if you could in future provide a simple one table sample app showing how this can be done. Thanks much!!!

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2013-06-04 00:48

Sure .. I'll try to post a tutorial article on that.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

bambinou
Veteran Member
Posts: 163
Joined: 2013-02-01 15:09

Re: How safe is AppGini? How can it be made safer?

Post by bambinou » 2013-10-13 15:21

Hi Ahmad,

I know you are very busy with the next release but I would like to know if you have managed to write something in your website about the data encryption and decryption in appgini with Mysql.

Thank you,

Regards,

Ben

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2013-10-14 00:57

Sorry not yet .. I'm finalizing AppGini 5.20 currently and trying my best to release the beta this week .. once I finish I'll start posting some pending tutorials, including this one.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

davea0511
Posts: 14
Joined: 2013-10-11 16:43

Re: How safe is AppGini? How can it be made safer?

Post by davea0511 » 2013-10-23 02:13

I'm also very interested in the SSL example. I tried this one time before, a couple years ago, and it failed.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-13 23:25

This encryption example is overdue Ahmad :lol: :lol: :lol:

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2016-04-14 22:48

AhmedBR wrote:This encryption example is overdue Ahmad :lol: :lol: :lol:
Oops!! You're right ... time goes by so fast and I'm really surprised how I get dragged by all the tasks I have :/
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2016-04-18 14:02

Ahmed ... you might wish to check this: https://www.mysql.com/products/enterprise/tde.html
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-18 14:32

Thanks, I have seen that, but the server we are using is Percona, so this link does not apply!

I am still reading what Percona has to offer about this.

My requirement for encryption is very simple just some customer details to be encrypted, no extra sensitive data.
Some AES_Encrypt 128 is good enough.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-19 19:13

Finally I got a small beta working for this.

I used your code :D for modifying the field caption color to do the decryption of always encrypted data in mysql.
This way Mysql database is ALWAYS encrypted at all time (including at rest).

I do not need to change the code anywhere else since I always use Numbers to do the filtering, grouping etc. never names.
(something like: where Client = 3, etc., and never use: where Client = 'AppGini Company')

Now, time for some tuning and finding the BUGs etc.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-20 17:17

I am almost there, but stuck at this point:

Cannot show the decrypted field in Detail view, tried passing the value to {$data['Client']} but so far does not work, any ideas?

User avatar
a.gneady
Site Admin
Posts: 1045
Joined: 2012-09-27 14:46
Contact:

Re: How safe is AppGini? How can it be made safer?

Post by a.gneady » 2016-04-20 23:10

Hmm ... you can either directly decrypt it in the tablename_form() function in the generated tablename_dml.php file (where tablename is the name of the concerned table). Or, if you want to avoid directly editing files outside hooks, add JavaScript code in hooks/tablename-dv.js to update the field through an ajax request to a file that you should create in the hooks folder to decrypt the field.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.
:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.
:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-21 00:01

Thanks for they reply, I will try to do one of them.
But I am still trying to understand why it is not showing anything in the field after update, I mean it should show the encrypted value, doesn't it?

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-21 00:05

I am using BLOB type, and BLOB type without encryption is showing correctly, once encrypted nothing is shown in the field.
I think something is passing NULL to field once it is saved or updated, and it is not the database or the decryption as it is working fine in Table View.

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-21 00:42

Give it a try (this is how it is happening):
Small table with just ID and Client Name

Encrypt after update Hook

Code: Select all

sql("UPDATE Clients set EncName = AES_Encrypt(`EncName`, 'y~.7~oK.#,3HGr7q14$:')
               where `ID` = {$data['ID']}",$eo);
Once it is updated, the EncName is returned as NULL in details view.
Database is OK, and Table View is OK also (that is the EncName is shown decrypted correctly! :roll:

AhmedBR
Veteran Member
Posts: 194
Joined: 2013-09-19 10:23

Re: How safe is AppGini? How can it be made safer?

Post by AhmedBR » 2016-04-21 04:19

Could be a bug in Appgini!
Check this out:
If I create another table and do a lookup (modifying the query to decrypt the EncName), it shows perfectly on the other table! hmmmm

primitive_man
AppGini Super Hero
AppGini Super Hero
Posts: 54
Joined: 2014-03-09 20:20

Re: How safe is AppGini? How can it be made safer?

Post by primitive_man » 2016-04-24 15:33

When it comes to safety for AppGini Applications I've tried a few things and have now settled upon one that works well.

In my last application, A database for a large private Residential Care Home:
1st Approach: Usual Web App Security on a LAN server (mid-range power) - this didn't work too well - large amounts of data needing encrypting/decryption - mired the application down, also had problems with printing and alignment that just refused to be resolved. Because the app had a 'Front' to the web via the usual problem between the seat and the screen, the possibility of user interference & hack attempts increased.

2nd Approach: Kiosk - Compressed. I placed the entire app within the container for 'ExeOutputforPHP' - again, problems - this time numerous, the compressed/encrypted application was still over 23mb in size, smaller PCs' had memory problems, ExeOutputforPHP often failed to close down properly and there were occasions when 4/5 instances were still in memory plus those printing problems still refused to FO.

3rd Approach: Kiosk - Uncompressed. I'd liked the Kiosk idea, it gave me a chance to not only place my Application within a 'secure area' but I could hide and encrypt the actual link information to the Online DB - Additionally, I could protect my work using Serial Numbers and Unique Machine IDs'... but waiting for the next version of ExeOutputforPHP is still an ongoing process - it's 2 years late already!
Someone suggested 'phpdesktop-chrome' - it doesn't allow me to compress the entire site into a single exe - however, I realised that I didn't need to do that!
In phpdesktop-chromes' www folder I place a single index.html page (created / encrypted and placed using an installer that creates and includes a serial number and Unique Machine ID plus the link to my now on-line Application) - this page also allows me to have a flashy intro to the app, the link goes to a link, which travels to another link which then starts the application. The application is never exposed to the world, but sits safely beyond anything but expert hacker interference and has no Web Front. The data is encrypted/decrypted and incremental backups are a breeze using a script I wrote for another App.
I'm really happy with it, as is my client and the printing problems finally disappeared - thanks to the fact that the latest version of phpdesktop-chrome uses a fairly modern Chromium Embedded Framework (CEF) (v47.5 (the current one has of today is: v50.0.2661.87 m)).

Hope this helps someone.

Yours,
primitive_man

Post Reply