I created privacypolicy.html in Root/web folder. The public URL exposes my App ID and REST Api Key in clear text. Isn’t this a security risk?
Hello @Nkekere_Tommy_Minimann
The app id and API key(s) are not meant to be secure. They are used by the back to identify your app and the type of client which makes the request. What makes your backend secure is the security policy you put in place on the server side. That includes how you establish permissions for different roles/operations, whether you disable access to the non-authenticated users, etc.
Regards,
Inna
Thank u very much, this clarifies it, and saves me the headache of worrying over 2 other possibilities
-
I was concerned about those keys being displayed in clear text in this public forum
-
I was concerned that those keys are needed for backendless SDK initialization. Proguard doesn’t obfuscate them and so they appear as clear text when my apk is decompiled
So does disabling access to non authenticated user prevent any unathorized monkeying around with my keys?
So does disabling access to non authenticated user prevent any unathorized monkeying around with my keys?
Yes, no one will be able to access the API until they are authorized.
Here are some articles on this topic that can help you better understand how security works in Backendless.
Regards,
Stanislaw
What are AndroidUser, GuestUser, ServerCodeUser and SocialUser?
How do I set security roles for file upload and file delete operations?
What are AndroidUser, GuestUser, ServerCodeUser and SocialUser?
The AndroidUser role is assigned automatically by Backendless when the incoming API request uses the Android API Key. The same applies to other system roles.
How do I set security roles for file upload and file delete operations?
Here is a great article that describes this:
NotAuthenticatedUser can’t access my tables. This happened after i disabled access for some security roles, but I re enabled all and it’s still the same.
Could you please provide screen of security policies configuration for one of the tables where NotAuthenticatedUser has no access?
Also it would be great if you provide cURL sample for your request to that table.
Regards, Andriy
Hello, @Nkekere_Tommy_Minimann.
You said that NotAuthenticatedUser cannot access your tables. I connected to your application and tried a basic GET request on your table. I cannot reproduce your problem, all data has been received.
Can you describe step-by-step how i can to reproduce your issue?
Best Regards, Nikita.
Since i started tinkering with roles permissions my code has been exhibiting unexpected behaviour although i have reset all permissions to their defaults which is grant all access.
Bundle intentData = getIntent().getExtras();
assert intentData != null;
String username = intentData.getString(“username”);
Log.d(getClass().getName(),“username in posterProfile:”+username);
String whereClause = "username ='" + username + "'";
DataQueryBuilder queryBuilder = DataQueryBuilder.create();
queryBuilder.setWhereClause(whereClause);
Backendless.Data.of("Users").find(queryBuilder, new AsyncCallback<List<Map>>() {
@Override
public void handleResponse(List<Map> response) {
try {
String username = Objects.requireNonNull(response.get(0).get("username").toString());
String address = Objects.requireNonNull(response.get(0).get("address").toString());
textViewUsername.setText(username);
textViewAddress.setText(address);
}
catch (Exception e)
{
e.printStackTrace();
Log.e(getClass().getName(), "Stack Trace:" + e.toString());
Log.e(getClass().getName(), "Stack Trace:" + e.getLocalizedMessage());
Log.e(getClass().getName(), "Stack Trace:" + e.getMessage());
}
the above code worked well before, but now if i am logged in as ‘tester’ and username = ‘tester’ it works
but if am logged in as moderator and username = ‘tester’ i get an exception.The same thing happens if am logged in as moderator and username = ‘tester’.
Basically i cant access the record of another user other than the one i am logged in with.
I think this has something to do with my earlier complain that’s why I didn’t create a separate topic for it.
Exception message->
E/ng.antigram.Activities.PosterProfileActivity$1: Stack Trace:java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
2021-10-26 04:04:25.218 15848-15848/ng.antigram E/ng.antigram.Activities.PosterProfileActivity$1: Stack Trace:Index: 0, Size: 0