Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript

Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript

By: J. D. Glaser (author)Paperback

Only 1 in stock

£42.74 RRP £44.99  You save £2.25 (5%) With FREE Saver Delivery

Description

The world is becoming increasingly mobile. Smartphones and tablets have become more powerful and popular, with many of these devices now containing confidential business, financial, and personal information. This has led to a greater focus on mobile software security. Establishing mobile software security should be of primary concern to every mobile application developer. This book explains how you can create mobile social applications that incorporate security throughout the development process. Although there are many books that address security issues, most do not explain how to incorporate security into the building process. Secure Development for Mobile Apps does exactly that. Its step-by-step guidance shows you how to integrate security measures into social apps running on mobile platforms. You'll learn how to design and code apps with security as part of the process and not an afterthought. The author outlines best practices to help you build better, more secure software. This book provides a comprehensive guide to techniques for secure development practices. It covers PHP security practices and tools, project layout templates, PHP and PDO, PHP encryption, and guidelines for secure session management, form validation, and file uploading. The book also demonstrates how to develop secure mobile apps using the APIs for Google Maps, YouTube, jQuery Mobile, Twitter, and Facebook. While this is not a beginner's guide to programming, you should have no problem following along if you've spent some time developing with PHP and MySQL.

About Author

J.D. Glaser is a software developer who loves building things. Circumstance led to a career in developing Windows security software and speaking all over the world on Windows forensic matters. He has trained government agencies in forensic issues and the U.S. Department of Justice has used his tools to capture and convict cybercriminals. He now specializes in building large social games in PHP and keeping players secure in cyber space.

Contents

Foreword Introduction Industry Analysis Preface Acknowledgments Biography Introduction to Mobile Security Development Understanding Secure Web Development What This Book Is What This Book Is Not Prerequisite Technologies Applying Architecture Tools to Security Creating Consistent Reusable Code from Project to Project Mobile Application Using HTML5, AJAX, and jQuery Mobile Mobile App-A Social Mashup Client Technologies Client Application Layout Server Application Evolution of Security Measures SQL Injection to XSS to CSRF Battle for Output Context New Technologies HTML5 Bad Practices Invite Holes Security as Add-on Lack of Information Lack of Consistency A New Mindset for Web Application Security Web Application Attack Surface Attack Vectors Common Threats SQL Injection Cross-Site Scripting Cross-Site Request Forgery Session Hijacking Defending Input and Output Streams: First Glance GET Requests POST Requests COOKIE Data Session Fixation Cross-Site Request Forgery Theory of Input Filtering and Output Escaping Input Validation Input Filtering Output Escaping You Must Know Where Your Data Is Displayed PHP Security Anti-Patterns Anti-Pattern #1 Not Matching Data Character Set to Filter Character Set Not Designing with Content Security Policy Anti-Pattern One Size Fits All Anti-Pattern Misinformation Anti-Patterns The Mantra Anti-Pattern Critical Data Type Understanding and Analysis Single Data Type Anti-Pattern All Incoming HTTP Data Are Strings Validation by Type Process Input Same as Output Anti-Pattern The Assumed Clean Anti-Pattern Improper mysql real escape string() Usage Filtering versus Escaping versus Encoding Only One Output Context Anti-Pattern Lack of Planning Anti-Patterns Lack of Consistency Anti-Patterns Lack of Testing Anti-Patterns Parameter Omission Anti-Pattern Design Practices Anti-Patterns No Clear Separation of HTML and PHP Code Anti-Pattern Too Many Database Function Calls Misleading Filtering Anti-Pattern Too Many Quotes Anti-Pattern Raw Request Variables as Application Variables Common Direct URL Input Anti-Pattern Poor Error Management Practices Poor Cryptography Practices Poor Cookie Expiration Poor Session Management Overcoming Anti-Patterns: Patterns, Testing, Automation PHP Essential Security A Consistent UTF-8 Character Set UTF-8 in the Database UTF-8 in the PHP Application UTF-8 in the Client Browser Clean Secure Data Input Validation: Account for Size and Type Escape Output: Account for Context Database Access Pattern Application Secrets Location Pattern Error Processing Pattern Error Logging Process Pattern Authentication Pattern Authorization Pattern White Listing Acceptable Input PHP Security Design Best Practices Summary Architect Application Character Set Architect HTTP Request Patterns Architect HTTP Cookie Usage Architect Input Validation Architect Output Escaping Architect Session Management Protect Secret Files/Protect Included Files Protect User Passwords Protecting User Session Data Protect against CSRF Attacks Protect against SQL Injection Attacks Protect against XSS Attacks Protect against File System Attacks Proper Error Handling OWASP Recommendations for PHP The Checklist Additional PHP Security Checklist Disable Dangerous PHP Functions PHP Security Tools Overview Object Language Support Abstract Classes, Interfaces, Facades, Templates, Strategy, Factories, and Visitors Variable Variables: Power DRY Native Function Support Encoding Functions DRY Enforcement Functions Type Enforcement Functions Filter Functions Mobile Functions Cryptography and Hashing Functions Modern Crypto Modern Hashing Modern Salting and Randomization HTML Templating Support How to Inline Heredoc Functions Best Practices Tips Use Integer Values as Much as Possible Use Type Enforcement Everywhere You Can Enforce String Sizes and Numeric Ranges Politely Cut Strings before Filtering Keep Strings as Small as Possible for Filters and for SQL Tables Issues to Avoid The Reason for PDO Prepared Statements Deprecated Security Functions Modern Crypto versus Old Crypto UTF-8 for PHP and MySQL Why UTF-8 UTF-8 Advantages UTF-8 Disadvantages How UTF-8 Affects Security Complete PHP UTF-8 Setup UTF-8 MySQL Database and Table Creation UTF-8 PDO Client Connection Manual UTF-8 PDO/MySQL Connection How To PHP UTF-8 Initialization and Installation UTF-8 Browser Setup Header Setup Meta-Tag Setup Form Setup PHP UTF-8 Multi-Byte Functions UTF-8 Input Validation Functions UTF-8 String Functions UTF-8 Output Functions UTF-8 Mail UTF-8 Configuration PHPUnit Testing Test PHP Internal Encoding Test PHP Output Encoding PHPUnit Test Class for Asserting UTF-8 Configuration Project Layout Template Every App Has Some Basic Similarities Project Layout Should Be Handled Consistently Select Query Wrapper Separation of HTML Static Resources The Completely Commented Files PHP PDO/UTF-8 Security Checklist Separation of Concerns What Is Separation of Concerns? Keep HTML as HTML Keep PHP Out of HTML Keep JavaScript Out of HTML Content Security Policy Keep CSS Out of JS Use of IDs and Class Summary PHP and PDO PDO UTF-8 Connection MySQL UTF-8 Database and Table Creation Support PDO Prepared Statements Prepared Statement Examples Selecting Data and Placing into HTML and URL Context PDO SELECT Queries and Class Objects Quoting Values and Database Type Conversion PDO Manual Quoting Example PDO and WHERE IN Statements White Listing and PDO Quoting of Column Names Summary Template Strategy Patterns Template Pattern Enforces Process Account Registration Template Account Registration Template-Activation Strategy Pattern for Output Escaping Escaping Strategy Class Improved Escaping Strategy Class The Input Cleaner Class Testing the Cleaner Class Examples of Cleaner::getKey() Validation Usage Modern PHP Encryption Using MCrypt for Two-Way Encryption Encrypting Hashed Passwords with Blowfish Professional Exception and Error Handling Configuring PHP Error Environment Secure php.ini and Error Log Files Error Options Overview Production Error Configuration for php.ini Development Error Configuration for php.ini PHP Error Level Constants Exception Handling Introduction to Exceptions Trapping All Errors and Exceptions Converting Errors to Exceptions ErrorManager Class Handle Fatal Errors with register shutdown function() Secure Session Management The SSL Landing Page Secure Session Overview Secure Session Management Checklist Session Checklist Details Setting Configuration and Setup Detecting Session Tampering Force Page Request over SSL SSL Redirect Protocol Relative Links Secure Session Storage PHP Default Session Storage Overview Session Storage Life Cycle Session Locking AJAX and Session Locking Session Management Configuration Configure Security before Session Start() Is Called Properly Destroy Session Encrypted Session Storage Encrypted Session Storage via MySQL Creating a Custom Session Handler in MySQL Encrypted Session Storage via File System Class SecureSessionFile Details Secure Forms and Account Registration Secure User Registration and Login Process Overview Unlimited Password Length, Unlimited Password Characters Secure Form Landing Pages Are over SSL Secure Form Nonce-Prevent CSRF Class NonceTracker Class NonceTracker Listing Class NonceTracker Detail Form Input Validation Overview Registration Form Registration Form Details Double Encryption of User Passwords Account Management Class AccountManager Details and Authorization Checks Email Verification and Activation System Future Proof Encryption Strength with Blowfish Rounds Secure Password Request Link Reauthorize on Privilege Elevation Session Management Class SessionManagement Details Secure Logout Details via SessionManager Privilege Elevation Protection System Secure Login Secure Login Form Secure Login Form Details Protect Pages via Authentication Check Secure Logout Page Secure Logout Page Details A Secure RememberMe Feature Closing Points Secure Client Server Form Validation PHP UTF-8 Input Validation Server UTF-8 Validation Validating UTF-8 Names and Emails via RegEx PREG for PHP = PREG for JavaScript Server Side Regular Expressions JavaScript Validation via Regular Expressions jQuery Validation via Regular Expressions jQuery Password Strength Meter JavaScript and jQuery Escaping and Filtering Replace innerHTML with innerText Embedded HTML HyperLinks-Problems with innerHTML Insecure JavaScript Functions Preventing Double Form Submission Post-Redirect-Get Pattern for Form Processing The PRG Pattern The PRG Directive Tracking Form Tokens to Prevent Double Submission Controlling Form Page Caching and Page Expiration Main Cache-Control Settings Microsoft Internet Explorer Extension Timestamping AJAX GET Requests Constructing Secure GET Request URLs Secure File Uploading Basic Principles of Secure File Uploading Authentication of File Uploads Create White List of Allowable Types File Extensions and Types Are Meaningless Create a System-Generated File Name Always Store Uploaded Files Outside Web Root Enforce File Size Limits Control File Permissions Limit Number of Uploaded Files Optional: Use CAPTCHA Optional: Use Virus Scan Secure File Uploading to Database SQL Table HTML Form Retrieving Uploaded Images Secure JSON Requests Building Secure JSON Responses Correct and Incorrect JSON Proper JSON Construction Depends on Array Construction Safe Array Construction with PDO Records Send and Receive JSON in PHP Send JSON from PHP Receive JSON in PHP Parsing JSON Securely with JavaScript/jQuery jQuery JSON Calls Post and Parse JSON Response Example Google Maps, YouTube, and jQuery Mobile Code Setup About the Code Placing Videos inside Google Map InfoWindows Creating InfoWindow Markers HTML and jQuery Mobile Layout Separation of Concerns HTML Fragments Description YouTube Elements Description Javascript File: gmap.js Map Functions InfoWindow Marker with Playable Video Map Marker Database Table VideoMap URL Table Data Repository Class: GMapData Processing Markers Generating Markers Inserting and Updating Markers Preparing Safe JSON Data Twitter Authentication and SSL cURL Twitter v1.1 via PHP Step 1: Create a Twitter Application Step 2: Exchange Twitter Credentials for Access Token Step 3: Request Tweets Using Access Token Step 4: Activate Tweet Links TweetFetcher Class Fetching v1.1 Tweets via TweetFetcher Getting Twitter oAuth Token Setting SSL Verification for cURL Retrieve Latest Tweets from Timeline Creating and Filtering Hyperlinks from Plain Text Filtering Bad Tweet Examples Examples of Secure Processing with processTweet() Using TweetFetcher Secure AJAX Shopping Cart JQuery Mobile Store Up and Running The Mobile Store Add Items to Cart Remove Items from Cart Making the PayPal Purchase Beginning the PayPal Transaction Securely Posting to PayPal Completing the PayPal Purchase Conclusion Common Facebook Canvas Vulnerability Points Saving Facebook RealTime Updates via PDO Reflecting JSON Coordinates Reflecting Messages Reflecting URLs JavaScript and JQuery Filters Method 1 Method 2 Method 3 JSONP Precaution Appendix

Product Details

  • ISBN13: 9781482209037
  • Format: Paperback
  • Number Of Pages: 472
  • ID: 9781482209037
  • weight: 839
  • ISBN10: 1482209039

Delivery Information

  • Saver Delivery: Yes
  • 1st Class Delivery: Yes
  • Courier Delivery: Yes
  • Store Delivery: Yes

Prices are for internet purchases only. Prices and availability in WHSmith Stores may vary significantly

Close