I would like to create my own tool to sort photos and videos from anywhere in the file system, sorting and changing names, and stuff like that (basically a sorting tool with custom sort parameters).
Since windows store apps are easy to distribute I think it could be a nice place to develop it.
while I have nothing against C# or VB that i guess it could be easily done with it, I would like to try the HTML/CSS/JS apps of the windows store.
I'm not looking for profit on this, since is aimed for my family.
And I don't really know what kind of access to the file system do these apps have.
I consider a store app because of the universal model, if necessary I could port it to the phones too, the other option I'm considering is just to use ironpython and make it full Desktop.
With UWP apps you don't have the full access to the system files. Of course you get one to the working folder of your app - LocalFolder. By using suitable Capabilities you can be granted an access to specified libraries like: Music, Photos, Videos and more, known as KnownFolders. Additionally you can widely access removable devices. To prevent access violation to work on files in KnownFolders you have to use a special broker, which will grant privileges to your app.
The full list of access permitions you will find at MSDN.
Related
How can I get information about an UWP application on Windows 10 from another application?
As a minimum, I am interested in application name and default tile. Then, I would like to be able to learn as much as possible, of course.
Some UWP apps can be linked to an EXE. That is, their main window is created by an EXE. This helps. At least, I know the location of "resource.pri", which presumably can be read.
But, there are apps which do not have EXE, and "hosted" by wwahost.exe instead. These are black boxes to me. Is there any way to know what is inside?
I would appreciate any hints.
Thanks
It's possible, but very different than what we do for desktop apps. I can share you the possible solution but there are some security issues, so I suggest you contact Microsoft to get a better way(maybe open some APIs for this kind of information) ensure your users have a safe system.
Here is what we need to do to get these information.
Enum WWAHost process.
You can enum "File type" items loaded into WWAHost, and find the one which is in this format: "C:\Program Files\WindowsApps\xxxx". When you view the app in Task Manager and view its properties, you will find it is a folder property windows. And you can also use Process Explorer to check the WWAHost process, and you will find the folder format I mentioned.
(Security Issue) To get the package name, version and more information, you have to access the folder I mentioned above. By reading the AppxManifest and dumping the resource.pri by using "makepri dump" and reading the generated resource.pri.xml, you will be able to get many information. But, we have to use special way to get access to the windowsapps folder and it will raise security risk to your users' OS(and maybe other issues). But if it is for your personal use, it's OK.
I am an WPF developer with little knowledge for the way "mobile" apps work but in general I believe that they work in some sort of sandbox way (meaning they should not be able to access each others process, info etc., I might be totally incorrect on this one). So I am wondering if such "limitations" are applied to the Universal Windows Platform (UWP) apps?
The reasoning for my question is that I would like to write and app that checks if another Universal App is in process and use some of its information. In WPF there are ways of doing just that but in UWP apps I am not sure if it is/should/will be possible.
Thanks.
There are a couple of solutions in Windows 10. Firstly, if you are building an enterprise app and can also side-load normal Desktop apps, you can use this technique to build your UI as a UWP but also be able to break out of the sandbox and do other things on the desktop.
Secondly, if the app you want to read from is cooperative (ie, is designed to provide information; you're not just grabbing it without permission) then you can use App to App services to send and receive information between two consenting applications.
Both links are to //build videos but you can download the slides too that should contain code samples.
My classic asp application would run on local system of users via internet browser. The code file resides in the root folder of the C: drive. But I want that the code cannot be seen by the users, and even if the file is opened then the code is not readable easily, like encrypted or encoded. I want to protect the code from being copied. Is it possible? If so, then how?
Other way is to Host application on one System and if other system is in connected in LAN they can use same site via hosted URL.
To deploy code in each system is not a good practice to secure.
I will agree with everybody else, suggesting a different design, but I will give you an answer that I think is applicable if you're dead set on what you're doing:
Write your server-side logic in Visual Basic 6 or .NET and expose as COM objects.
(A wilder idea would be to implement your own ISAPI filter, but I am not positive if the APIs allow you to intercept the loading of the source... thinking and googling around make me think that that's not possible, but not 100% sure)
I have done this with COM objects.
I'm a beginner in creating mobile apps with phonegap. I have some doubts on security aspects, when creating a mobile app with phonegap.
I want to create an app that accesses a Web service, e.g. a REST service created using Jersey. Now, am I correct in thinking that a hacker can easily see the security keys/authentication mechanism used, to authenticate the client (on a mobile app) with the server (where REST API is to be used)?
In general, can a hacker easily access all data being sent by the mobile app (which was created using phonegap)?
Can a hacker disassemble a phonegap app to obtain original code? Wont he get the native code (e.g. Objective C in case of ios)? Or can he decompile even that into original phonegap code (ie html+js)? How do I prevent my code from being decompiled? Is this scenario the same as for most other languages i.e. hackers with powerful PCs can hack into just about any program/software? Is there some way to prevent this from happening?
Allright, first take a deep breath. You are probably not going to like some of my answers but you'll be living with the same issues that we all are.
The best thing to do in this case is to use something like the KeyChain plugin to retrieve your security keys from the native side.
You can take PhoneGap out of the question because it applies to any situation where you send unencrypted data between a client and server. Anyone can easily listen in using a number of tools including Wireshark or Ethereal. If you need to communicate with a sever it should be done on an encrypted, HTTPS or SSL, connection.
First I think you are under the mistaken impression that PhoneGap compiles your HTML/JS code into Obj-C. It does not. If the user uncompresses your app they will be able to read your HTML/JS. Also, they'll be able to decompile your Obj-C code as well. This does not take a powerful PC or even an experienced hacker. Pretty much anyone can do it.
My advice to you is not to worry about it. Put your time into creating a truly great app. The people who will pay for it will pay for it. The folks who decompile it would never buy the app no matter what. The more time you take trying to combat the hackers takes away from the time you could use to make your app greater. Also, most anti-hacking measures just make life harder for your actual users so in fact they are counter productive.
TLDR -
Consider that you are coding a website and all code ( html and js ) will be visible to user with
Crtl+Shift+i as in browsers
Some points for ensuring maximum security
If your using backend then recheck everything coming from the app
All attacks possible on websites (XSS, redicting to malacious webistes , cloning webistes, etc are possible )
All the data sent to the app will finally be available in some js variables / resource files , Since all variables are accessible by hacker so is all the data sent to app EVEN IF YOU ARE USING THE MOST SECURE DATA TRANSMISSION MECHANISMS
As Simon correctly said in his ans , phonegap or cordova does not convert html / js to native code . Html / Js is available as-it-is
Cordova also explicitly mentions this in their official statement
Do not assume that your source code is secure
Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.
5.Mainly all the techniques which are used by websites to prevent their code from being cloned / easily understood are applicable even here (Mainly it includes converting js code into hard to read format - obfuscating code)
6.Comparing native apps with cordova/phonegap apps native apps , I would say that cordova are easier for hacker only because of lack of awareness between cordova developers who do not take enough measures to secure it and lack of readily available(one click ) mechanisms to directly obfuscate the code vs in android proguard
Sample Cordova App Hacking (NOTE:Phonegap also works in similar way)
I'll show an example to show how easy is it for hacker to hack a cordova app(where developer has taken no efforts in obfuscating the code )
basically we start with unzipping the apk files (apks can be unzipped like zip files )
The contents inside will be similar to this
The source code for cordova apps is present in /assets/www/ folder
As you can see all the contents including any databases that you have packed with the app are visible(see last 2 rows have a db file )
Along with it any other resources are also directly visible (text files/js / html/ audio / video / etc)
All the views / controllers are visible and editable too
Further exploring the contents we find a PaymentController.js file
Opening it we can directly see the js code and other comments
here we note that after user performs payment if it is successful then successCallback is called else cancelCallback is called.
Hacker can simply replace the two functions so that when payment is not successful successCallback is called .
In absence of other checks the hacker has successfully bypassed payment.
Does anyone know of any article/publication on the security architecture of Metro app?
For example, can the metro app call an external service. If it can,
under what condition. Will it prompt the user first? And if so will
they be able to change their restriction later and how?
Cross domain scripting in a website is usually considered a big
no-no. But if I were to turn the same code into a metro app (since
presumably they're both written in Html 5 + js), does it mean I can
make ajax calls to any server irrespective of their domain? Is it
even possible to port a website into an app? If so how easy is that?
What about accessing local file system? Or does it have to go
through the contracts to do so?
And this is kind of related but if I were to write a website (not an
app). And the site was opened using Metro IE10, can it subscribe
into the metro specific js events? I guess I'm trying to figure out
how to save cost by doing as little development as possible. I
prefer a website that can target multiple platforms and only target
specific platform for the features that absolutely require it - also
not to thrilled with the idea of having to go through microsoft in
order to publish my app.
Any help appreciated.
Metro applications can call into web services located on other machines, but their ability to interact with the local machine is severely limited.
Similarly, accessing arbitrary parts of the local filesystem is not permitted. If your application has the documents (or music or photos) library permission, it can access the files in those libraries.