I am developing an application using flutter. Actually, I want to read the IP address of the device but I have doubt about Google and App Store policy about reading IP address.
Please guide me should I read the IP address or not.
Why not just read the IP address of the device on the server instead? Then you won't fall foul on any privacy protection.
If you get permissions like:
// AndroidManifest.xml permissions
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
And equivalen on iOS, you should not have legal problems with Apple or Google, it is assumed that you may use that information.
If the user allows your application to use internet and to access the network state you should not have any problem Google and App Store policy since the user give you the authorisation to use that information.
You can find more about how to find the IP address from this topic How to get IP address of the device from code?
Related
Does Firebase log the IP address that the user last signed in from?
The reason that I need it is that I want to try to broadly segment my users by location, and IP address will usually help with this.
But I'm not sure if the data exists in Firebase or is query-able.
Nope. Firebase Authentication does not make the IP address of the user available. See Firebase JavaScript SDK - Retrieve Users IP Address
But what you describe sounds like a use-case better suited to Firebase Analytics/Google Analytics for Firebase, which does expose the user's location (based on a lookup from their IP address).
I'm new to user authentication and related digital security issues, so I would like to know if the way I'm doing things is ok. Currently the way my server "remembers" users is based solely on the IP address they have logged in from. If they check the remember me option, I store that IP in the database and from then on, every time that machine enters the website, I check if that IP is associated with one of my users. If so, I log them in.
What is good or bad on that approach?
I used the googledocviewer to view some word an excel sheets on my site:
<iframe src="https://docs.google.com/viewer?url=http://domain.de/media/dokumente/worddocument.doc&embedded=true" style="width:600px; height:500px;" frameborder="0"></iframe>
The documents are on MY server.
It works fine, but now my question:
Generally, on the live site, all IP´s are on my server blacklisted, because only 5 specially IP´s have access to the site.
So, the iframe try to load the googledocviewer, but google is blacklistet (on my server, because it´s not an ip from the 5)
So, the screen shows:
no document available.
If I set the googledocviewer IP to my whitelist - indexing Google all my documents and save they at any google-server?
The documents are private !!! No other IP´s and users is allowed, to see this docs.
My suspicion:
Because I use the googledocs viewer and set the googledocsviewer IP to a whitelist, other users can now access to these private documents....
Sorry for my bad english...I'll work on it.
Best regards,
Thorsten
As mentioned in Whitelist domains for Google Apps, you can still set which files can be shared and you also can choose more permissive settings to be sure that you don't share confidential files.
You can allow file sharing in Google Drive for organizations that you trust by whitelisting their domain. After you whitelist a domain, you then grant Drive access so that users in your organization can share files and folders with users in the trusted domain.
Furthermore, it was also mentioned in grant sharing access for whitelisted domains
For Google Apps Unlimited, Google Apps for Education, and Google Apps for Nonprofits, you grant file sharing access by changing Drive sharing settings. For details, see Set file sharing permissions.
For Google Apps for Education, you grant access to classes by changing Classroom settings. For details, see Whitelist domains for Classroom.
I've just started using MVC5 and I want to make my website available just for a specific IP address, so I check the client IP address using the following:
Request.UserHostAddress;
I have two users to access to my website and every one have to access from specific IP address, so I need your help to know how to do this note that I use the default user authentication from MVC.
Every single support word is appreciated.
I realize that mac addresses or machine ids aren't transferred over the internet, however, I would like to lock down our subscription-based website security so that only specific computers can register and have access to its resources.
Large organizations will subscribe to our service and will undoubtedly have more than one ip for their organization. As well, we'd like to give the ability for their qualified employees to access the website on devices outside of their physical organization (for road-trip presentations, etc.).
Is there a sure-fire way to achieve this end (beyond the username/password assigned to each account)? If not, what would be the most effective approach?
Instead of restricting access via IP, you want to use something that's actually secure.
Username and password over an HTTPS connection should at least be unsniffable, but you might want to look in to client SSL certificates. They can be configured in Apache or other web server software. If username/password authentication is not enough, this is the next (and perhaps final) step up.
UPDATE:
That said, what many application providers will do is provide a method for subscribers to implement an ACL for their accounts. You can even force people to consider their ACL before allowing them to access your services. Think of it this way:
An account is set up in your system allowing login from anywhere. Upon creation, the ACL is UNSET.
User logs in and is immediately directed to an ACL setup page, where they must provide either an IP address or range or subnet associated with their account. You can be clever and pre-populate things with their existing IP address or subnet, perhaps even looking things up at ARIN to see if their IP is in a network assigned to the company name on their account.
Once the ACL is set (or they have, despite your warnings, confirmed that they want to keep their ACL open), they can access your services.
If they try log in from elsewhere, they (and you) are notified via email (or SMS or whatever) of an attempted breach.
If they no longer have access to their ACL-listed IPs (i.e. IP renumbering due to a new upstream Internet provider and bad planning), they can call your phone support who will validate them by other means. FAX confirmation perhaps, because that's SO secure...
A user-managed ACL is not a "sure-fire" way, but it may be sufficiently effective for your needs, and it will certainly instill a sense in your customers that you have their best interests at heart.
There is no sure-fire way. That's in the nature of networks. You accept data from a remote machine and you have to trust it at least to some extend.
Take the simple username/password approach. If the usename and the passwords match, you have to trust, that they where entered by the person that the username and password was intended for. This does not fundamentally change if you require more data to be send by the client.