Muutke küpsiste eelistusi

Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript [Pehme köide]

4.50/5 (4 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 472 pages, kõrgus x laius: 254x178 mm, kaal: 839 g, 10 Tables, black and white; 6 Illustrations, black and white
  • Ilmumisaeg: 13-Oct-2014
  • Kirjastus: Apple Academic Press Inc.
  • ISBN-10: 1482209039
  • ISBN-13: 9781482209037
Teised raamatud teemal:
Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScriptSuurem pilt
  • Formaat: Paperback / softback, 472 pages, kõrgus x laius: 254x178 mm, kaal: 839 g, 10 Tables, black and white; 6 Illustrations, black and white
  • Ilmumisaeg: 13-Oct-2014
  • Kirjastus: Apple Academic Press Inc.
  • ISBN-10: 1482209039
  • ISBN-13: 9781482209037
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781482209037.html
Märksõnad:
"Preface Amazingly, I grew up in the country and we never locked the doors to our house, or our cars. In school, no one broke into someone else's car or locker. If you put something down, you could pretty much rely on it being there when you got back. Family entered without knocking, and non-family never tried. This is no longer the case. Now, even though my house and car are locked, the virtual windows to my life, as well as a basement door I didn't even know existed, are open and under attack thanks tothe internet. Now the situation is reversed. Family needs to knock several times before using the secret handshake thingy, and strangers enter anonymously and unannounced into my whatever. Security is something I wish I could do without. The business of building cool things as fast as possible without regard to consequence of theft is far more interesting. Out of necessity, security became a priority. What follows is some of what I've learned along the way. If any of these bits and bytes end up helping to protect you, then I win. I hope you enjoy the book. "--

Glaser explains how to design secure mobile applications using PHP 5.4 and MySQL 5.5 on a Linux web server. A valid SSL certificate active on the web server is required for many of the code samples to function properly, he says. His topics include PHP security anti-patterns, template strategy patterns, professional exception and error handling, secure session management, secure client server form validation, secure file uploading, Twitter authentication and SSL cURL, and common Facebook canvas vulnerability points. Annotation ©2015 Ringgold, Inc., Portland, OR (protoview.com)

The world is becoming increasingly mobile. Smartphones and tablets have become more powerful and popular, with many of these devices now containing confidential business, financial, and personal information. This has led to a greater focus on mobile software security. Establishing mobile software security should be of primary concern to every mobile application developer. This book explains how you can create mobile social applications that incorporate security throughout the development process.

Although there are many books that address security issues, most do not explain how to incorporate security into the building process. Secure Development for Mobile Apps does exactly that. Its step-by-step guidance shows you how to integrate security measures into social apps running on mobile platforms. You’ll learn how to design and code apps with security as part of the process and not an afterthought. The author outlines best practices to help you build better, more secure software.

This book provides a comprehensive guide to techniques for secure development practices. It covers PHP security practices and tools, project layout templates, PHP and PDO, PHP encryption, and guidelines for secure session management, form validation, and file uploading. The book also demonstrates how to develop secure mobile apps using the APIs for Google Maps, YouTube, jQuery Mobile, Twitter, and Facebook. While this is not a beginner’s guide to programming, you should have no problem following along if you’ve spent some time developing with PHP and MySQL.

Foreword xv
Introduction xvii
Industry Analysis xix
Preface xxiii
Acknowledgments xxv
Biography xxvii
PART I
Chapter 1 Introduction to Mobile Security Development
3(12)
Understanding Secure Web Development
3(1)
What This Book Is
3(1)
What This Book Is Not
4(1)
Prerequisite Technologies
5(1)
Applying Architecture Tools to Security
5(1)
Creating Consistent Reusable Code from Project to Project
5(1)
Mobile Application Using HTML5, AJAX, and jQuery Mobile
5(1)
Mobile App---A Social Mashup
6(1)
Client Technologies
6(1)
Client Application Layout
6(1)
Server Application
6(1)
Evolution of Security Measures
7(1)
SQL Injection to XSS to CSRF
7(1)
Battle for Output Context
8(1)
New Technologies HTML5
8(1)
Bad Practices Invite Holes
8(1)
Security as Add-on
8(1)
Lack of Information
9(1)
Lack of Consistency
9(1)
A New Mindset for Web Application Security
10(5)
Chapter 2 Web Application Attack Surface
15(22)
Attack Vectors
15(1)
Common Threats
16(1)
SQL Injection
16(1)
Cross-Site Scripting
17(1)
Cross-Site Request Forgery
18(1)
Session Hijacking
18(1)
Defending Input and Output Streams: First Glance
19(1)
Get Requests
19(1)
Post Requests
20(1)
Cookie Data
21(1)
Session Fixation
21(1)
Cross-Site Request Forgery
21(4)
Theory of Input Filtering and Output Escaping
25(1)
Input Validation
26(1)
Input Filtering
26(2)
Output Escaping
28(1)
You Must Know Where Your Data Is Displayed
28(9)
Chapter 3 PHP Security Anti-Patterns
37(28)
Anti-Pattern #1
37(1)
Not Matching Data Character Set to Filter Character Set
37(1)
Not Designing with Content Security Policy Anti-Pattern
38(1)
One Size Fits All Anti-Pattern
38(1)
Misinformation Anti-Patterns
38(1)
The Mantra Anti-Pattern
39(1)
Critical Data Type Understanding and Analysis
40(1)
Single Data Type Anti-Pattern
40(5)
All Incoming HTTP Data Are Strings
45(2)
Validation by Type Process
47(2)
Input Same as Output Anti-Pattern
49(1)
The Assumed Clean Anti-Pattern
50(1)
Improper mysql_real_escape_string() Usage
50(1)
Filtering versus Escaping versus Encoding
51(1)
Only One Output Context Anti-Pattern
52(1)
Lack of Planning Anti-Patterns
52(1)
Lack of Consistency Anti-Patterns
52(1)
Lack of Testing Anti-Patterns
53(1)
Parameter Omission Anti-Pattern
53(3)
Design Practices Anti-Patterns
56(1)
No Clear Separation of HTML and PHP Code Anti-Pattern
56(1)
Too Many Database Function Calls
57(1)
Misleading Filtering Anti-Pattern
58(1)
Too Many Quotes Anti-Pattern
58(1)
Raw Request Variables as Application Variables
59(1)
Common Direct URL Input Anti-Pattern
59(1)
Poor Error Management Practices
60(1)
Poor Cryptography Practices
61(1)
Poor Cookie Expiration
62(1)
Poor Session Management
62(1)
Overcoming Anti-Patterns: Patterns, Testing, Automation
63(2)
Chapter 4 PHP Essential Security
65(12)
A Consistent UTF-8 Character Set
65(1)
UTF-8 in the Database
66(1)
UTF-8 in the PHP Application
66(1)
UTF-8 in the Client Browser
67(1)
Clean Secure Data
67(1)
Input Validation: Account for Size and Type
67(1)
Escape Output: Account for Context
67(1)
Database Access Pattern
68(1)
Application Secrets Location Pattern
68(1)
Error Processing Pattern
68(1)
Error Logging Process Pattern
69(1)
Authentication Pattern
69(1)
Authorization Pattern
69(1)
White Listing Acceptable Input
69(1)
PHP Security Design Best Practices Summary
70(1)
Architect Application Character Set
70(1)
Architect HTTP Request Patterns
70(1)
Architect HTTP Cookie Usage
71(1)
Architect Input Validation
71(1)
Architect Output Escaping
71(1)
Architect Session Management
72(1)
Protect Secret Files/Protect Included Files
72(1)
Protect User Passwords
72(1)
Protecting User Session Data
72(1)
Protect against CSRF Attacks
73(1)
Protect against SQL Injection Attacks
73(1)
Protect against XSS Attacks
73(1)
Protect against File System Attacks
73(1)
Proper Error Handling
74(1)
OWASP Recommendations for PHP
74(1)
The Checklist
74(1)
Additional PHP Security Checklist
75(1)
Disable Dangerous PHP Functions
75(2)
Chapter 5 PHP Security Tools Overview
77(24)
Object Language Support
77(1)
Abstract Classes, Interfaces, Facades, Templates, Strategy, Factories, and Visitors
77(3)
Variable Variables: Power DRY
80(1)
Native Function Support
81(1)
Encoding Functions
81(2)
DRY Enforcement Functions
83(1)
Type Enforcement Functions
84(1)
Filter Functions
85(3)
Mobile Functions
88(1)
Cryptography and Hashing Functions
89(1)
Modern Crypto
89(2)
Modern Hashing
91(1)
Modern Salting and Randomization
91(1)
HTML Templating Support
92(1)
How to Inline Heredoc Functions
92(2)
Best Practices Tips
94(1)
Use Integer Values as Much as Possible
94(1)
Use Type Enforcement Everywhere You Can
95(1)
Enforce String Sizes and Numeric Ranges Politely
95(1)
Cut Strings before Filtering
95(1)
Keep Strings as Small as Possible for Filters and for SQL Tables
96(1)
Issues to Avoid
96(2)
The Reason for PDO Prepared Statements
98(1)
Deprecated Security Functions
99(1)
Modern Crypto versus Old Crypto
100(1)
Chapter 6 UTF-8 for PHP and MySQL
101(14)
Why UTF-8
101(1)
UTF-8 Advantages
101(1)
UTF-8 Disadvantages
101(1)
How UTF-8 Affects Security
102(1)
Complete PHP UTF-8 Setup
102(1)
UTF-8 MySQL Database and Table Creation
102(2)
UTF-8 PDO Client Connection
104(1)
Manual UTF-8 PDO/MySQL Connection How To
104(1)
PHP UTF-8 Initialization and Installation
105(1)
UTF-8 Browser Setup
105(1)
Header Setup
106(1)
Meta-Tag Setup
106(1)
Form Setup
106(1)
PHP UTF-8 Multi-Byte Functions
107(1)
UTF-8 Input validation Functions
107(1)
UTF-8 String Functions
108(1)
UTF-8 Output Functions
109(1)
UTF-8 Mail
110(1)
UTF-8 Configuration PHPUnit Testing
111(1)
Test PHP Internal Encoding
111(1)
Test PHP Output Encoding
111(1)
PHPUnit Test Class for Asserting UTF-8 Configuration
112(3)
Chapter 7 Project Layout Template
115(6)
Every App Has Some Basic Similarities
115(1)
Project Layout Should Be Handled Consistently
115(3)
Select Query Wrapper
118(1)
Separation of HTML Static Resources
119(1)
The Completely Commented Files
120(1)
PHP PDO/UTF-8 Security Checklist
120(1)
Chapter 8 Separation of Concerns
121(8)
What Is Separation of Concerns?
121(1)
Keep HTML as HTML
122(1)
Keep PHP Out of HTML
122(2)
Keep JavaScript Out of HTML
124(2)
Content Security Policy
126(1)
Keep CSS Out of JS
126(1)
Use of IDs and Classes in HTML
127(1)
Summary
128(1)
Chapter 9 PHP and PDO
129(14)
PDO UTF-8 Connection
131(1)
MySQL UTF-8 Database and Table Creation Support
132(1)
PDO Prepared Statements
133(1)
Prepared Statement Examples
133(2)
Selecting Data and Placing into HTML and URL Context
135(2)
PDO SELECT Queries and Class Objects
137(1)
Quoting Values and Database Type Conversion
137(1)
PDO Manual Quoting Example
138(1)
PDO and WHERE IN Statements
139(1)
White Listing and PDO Quoting of Column Names
140(1)
Summary
141(2)
Chapter 10 Template Strategy Patterns
143(16)
Template Pattern Enforces Process
143(1)
Account Registration Template
143(2)
Account Registration Template---Activation
145(2)
Strategy Pattern for Output Escaping
147(1)
Escaping Strategy Class
147(2)
Improved Escaping Strategy Class
149(3)
The Input Cleaner Class
152(4)
Testing the Cleaner Class
156(2)
Examples of Cleaner::getKey() Validation Usage
158(1)
Chapter 11 Modern PHP Encryption
159(6)
Using MCrypt for Two-Way Encryption
159(3)
Encrypting Hashed Passwords with Blowfish
162(3)
Chapter 12 Professional Exception and Error Handling
165(16)
Configuring PHP Error Environment
166(1)
Secure php.ini and Error Log Files
166(1)
Error Options Overview
167(1)
Production Error Configuration for php.ini
168(1)
Development Error Configuration for php.ini
168(1)
PHP Error Level Constants
168(1)
Exception Handling
169(1)
Introduction to Exceptions
169(5)
Trapping All Errors and Exceptions
174(1)
Converting Errors to Exceptions
174(2)
ErrorManager Class
176(1)
Handle Fatal Errors with register_shutdown_function()
177(4)
PART II
Chapter 13 Secure Session Management
181(14)
The SSL Landing Page
181(1)
Secure Session Overview
182(1)
Secure Session Management Checklist
182(1)
Session Checklist Details
183(6)
Setting Configuration and Setup
189(2)
Detecting Session Tampering
191(1)
Force Page Request over SSL
192(1)
SSL Redirect
192(1)
Protocol Relative Links
193(2)
Chapter 14 Secure Session Storage
195(44)
PHP Default Session Storage Overview
196(1)
Session Storage Life Cycle
196(1)
Session Locking
197(1)
AJAX and Session Locking
197(1)
Session Management Configuration
197(1)
Configure Security before Session_Start() Is Called
198(3)
Properly Destroy Session
201(1)
Encrypted Session Storage
202(1)
Encrypted Session Storage via MySQL
202(1)
Creating a Custom Session Handler in MySQL
202(22)
Encrypted Session Storage via File System
224(5)
Class SecureSessionFile Details
229(10)
Chapter 15 Secure Forms and Account Registration
239(54)
Secure User Registration and Login Process Overview
239(1)
Unlimited Password Length, Unlimited Password Characters
240(1)
Secure Form Landing Pages Are over SSL
241(1)
Secure Form Nonce---Prevent CSRF
241(1)
Class NonceTracker
242(1)
Class NonceTracker Listing
242(2)
Class NonceTracker Detail
244(3)
Form Input Validation Overview
247(1)
Registration Form
248(4)
Registration Form Details
252(2)
Double Encryption of User Passwords
254(3)
Account Management Class
257(4)
AccountManager Details and Authorization Checks
261(1)
Email Verification and Activation System
262(7)
Future Proof Encryption Strength with Blowfish Rounds
269(2)
Secure Password Request Link
271(1)
Reauthorize on Privilege Elevation
272(1)
Session Management Class
273(3)
SessionManagement Details
276(2)
Secure Logout Details via SessionManager
278(1)
Privilege Elevation Protection System
279(2)
Secure Login
281(1)
Secure Login Form
281(2)
Secure Login Form Details
283(2)
Protect Pages via Authentication Check
285(1)
Secure Logout Page
286(1)
Secure Logout Page Details
287(1)
A Secure RememberMe Feature
287(4)
Closing Points
291(2)
Chapter 16 Secure Client Server Form Validation
293(30)
PHP UTF-8 Input Validation
293(1)
Server UTF-8 Validation
293(1)
Validating UTF-8 Names and Emails via RegEx
294(3)
PREG for PHP = PREG for JavaScript
297(1)
Server Side Regular Expressions
297(5)
JavaScript Validation via Regular Expressions
302(1)
jQuery Validation via Regular Expressions
303(3)
jQuery Password Strength Meter
306(2)
JavaScript and jQuery Escaping and Filtering
308(1)
Replace innerHTML with innerText
309(1)
Embedded HTML HyperLinks---Problems with innerHTML
310(2)
Insecure JavaScript Functions
312(1)
Preventing Double Form Submission
313(1)
Post-Redirect-Get Pattern for Form Processing
313(1)
The PRG Pattern
314(1)
The PRG Directive
315(2)
Tracking Form Tokens to Prevent Double Submission
317(2)
Controlling Form Page Caching and Page Expiration
319(1)
Main Cache-Control Settings
320(1)
Microsoft Internet Explorer Extension
321(1)
Timestamping AJAX GET Requests
321(1)
Constructing Secure GET Request URLs
321(2)
Chapter 17 Secure File Uploading
323(10)
Basic Principles of Secure File Uploading
323(1)
Authentication of File Uploads
324(1)
Create White List of Allowable Types
324(1)
File Extensions and Types Are Meaningless
324(1)
Create a System-Generated File Name
324(1)
Always Store Uploaded Files Outside Web Root
324(1)
Enforce File Size Limits
324(1)
Control File Permissions
325(1)
Limit Number of Uploaded Files
325(1)
Optional: Use CAPTCHA
325(1)
Optional: Use Virus Scan
325(1)
Secure File Uploading to Database
325(1)
SQL Table
326(1)
HTML Form
326(4)
Retrieving Uploaded Images
330(3)
Chapter 18 Secure JSON Requests
333(14)
Building Secure JSON Responses
333(1)
Correct and Incorrect JSON
333(1)
Proper JSON Construction Depends on Array Construction
334(2)
Safe Array Construction with PDO Records
336(1)
Send and Receive JSON in PHP
337(1)
Send JSON from PHP
337(3)
Receive JSON in PHP
340(1)
Parsing JSON Securely with JavaScript/jQuery
341(1)
jQuery JSON Calls
342(1)
Post and Parse JSON Response Example
342(5)
PART III
Chapter 19 Google Maps, YouTube, and jQuery Mobile
347(30)
Code Setup
347(1)
About the Code
348(1)
Placing Videos inside Google Map InfoWindows
348(1)
Creating InfoWindow Markers
349(1)
HTML and jQuery Mobile Layout
349(2)
Separation of Concerns
351(1)
HTML Fragments Description
352(1)
YouTube Elements Description
353(1)
Javascript File: gmap.js
354(1)
Map Functions
354(5)
InfoWindow Marker with Playable Video
359(4)
Map Marker Database Table
363(1)
VideoMap URL Table
364(1)
Data Repository Class: GMapData
364(2)
Processing Markers
366(1)
Generating Markers
366(2)
Inserting and Updating Markers
368(5)
Preparing Safe JSON Data
373(4)
Chapter 20 Twitter Authentication and SSL cURL
377(16)
Twitter v1.1 via PHP
377(1)
Step 1 Create a Twitter Application
377(1)
Step 2 Exchange Twitter Credentials for Access Token
378(1)
Step 3 Request Tweets Using Access Token
378(1)
Step 4 Activate Tweet Links
378(1)
TweetFetcher Class
378(4)
Fetching v1.1 Tweets via TweetFetcher
382(1)
Getting Twitter oAuth Token
382(1)
Setting SSL Verification for cURL
383(2)
Retrieve Latest Tweets from Timeline
385(1)
Creating and Filtering Hyperlinks from Plain Text
385(2)
Filtering Bad Tweet Examples
387(1)
Examples of Secure Processing with processTweet()
387(1)
Using TweetFetcher
388(5)
Chapter 21 Secure AJAX Shopping Cart
393(26)
JQuery Mobile Store
393(1)
Up and Running
394(1)
The Mobile Store
395(2)
Add Items to Cart
397(8)
Remove Items from Cart
405(2)
Making the PayPal Purchase
407(1)
Beginning the PayPal Transaction
407(4)
Securely Posting to PayPal
411(2)
Completing the PayPal Purchase
413(4)
Conclusion
417(2)
Chapter 22 Common Facebook Canvas Vulnerability Points
419(6)
Saving Facebook RealTime Updates via PDO
419(1)
Reflecting JSON Coordinates
420(1)
Reflecting Messages
421(1)
Reflecting URLs
421(1)
JavaScript and JQuery Filters
421(1)
Method 1
421(1)
Method 2
421(1)
Method 3
422(1)
JSONP Precaution
422(3)
Appendix 425(4)
Index 429
J.D. Glaser is a software developer who loves building things. Circumstance led to a career in developing Windows security software and speaking all over the world on Windows forensic matters. He has trained government agencies in forensic issues and the U.S. Department of Justice has used his tools to capture and convict cybercriminals. He now specializes in building large social games in PHP and keeping players secure in cyber space.