Sunday, September 27, 2015

Exclude items from iOS backup and restore

1. File and folder
application can apply property NSURLIsExcludedFromBackupKey to exclude file or folder item from itune/icloud backup and restore.

 NSURL* URL= [NSURL fileURLWithPath: filePathString];

 NSError *error = nil;
 BOOL success = [URL setResourceValue: [NSNumber numberWithBool: YES]
                                  forKey: NSURLIsExcludedFromBackupKey error: &error];


2. NSUserDefault
NSUserDefault items are always included in the backup and restore and cannot be excluded.


3. KeyChain
The following three attributes can be used to prevent the keychain items be restored to other devices. The values can be set as kSecAttrAccessible attribute in the secItemAdd method

Sample:
[dict setObject:kSecAttrAccessibleAlwaysThisDeviceOnly forKey:kSecAttrAccessible];

kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Keychain item is accessible only after the device is unlocked and the item cannot be migrated between devices.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Keychain item is accessible after the first unlock of the device and the item cannot be migrated between devices.
kSecAttrAccessibleAlwaysThisDeviceOnly
Keychain item is accessible even the device is locked and the item cannot be migrated between devices.

Wednesday, September 23, 2015

Share and record ios screen on mac with QuickTime Player

1. connect ios device with mac using usb cable
2. open QuickTime Player app from mac, click done button on the dialog prompted by QuickTime player.
3 click QuickTime Player's File->"New Movie Recording" menu, it should show you a recording config screen.
4 Move the cursor into the config screen, and select the down arrow on left of the red dot and select your device

5.The device screen should show on mac screen, you can also record the device screen by clicking on the red dot to start. Click it again will stop the recording.

Monday, September 21, 2015

Cross-Site Request forgery (CSRF) and Corss-origin-Resource-Share (CORS)

As mentioned in http://jonathanblog2000.blogspot.ca/2015/09/http-cross-origin-request-and-http.html, CORS is for preventing malicious javascript code to access response returned from a different domain, so even if user are tricked to open a malicious web page, it cannot load the response returned from user's real server. This is mostly implemented by enforcing the "Access-Control-Allow-Origin" header on client side.

Cross Site Request Forgery (CSRF), on other hand, is for a different kind of attack, it leverages the fact that browser automatically sends the cookie including authentication cookie with the request to the same server, so if the server based on the authentication cookie to validate the request, then the server will accept the malicious request as a valid one. In this case, the malicious request is sent from the same browser instance triggered by a link in an email or a different web page, CORS will not prevent this kind of attack, as the attacker does not need to get the response for his purpose. As long as the request is processed by server, then the attach is achieved.

To avoid the CSRF attack, the server needs to use something to validate the client request other than session cookie, for example, a http header for CSRF token returned from server will be a good choice. The idea is when the app sends any update (POST, PATCH) request to server, this CSRF header needs to be included by javascript code, so the server can valid the request by checking this particular header.  The request will be executed only if the header is correct.

Note, although malicious code can trick user to send a Get requests to the real server, but it cannot get or parse the server response to find the CSRF token from the response, as the malicious js code is loaded from a different domain, and CORS limitation will block it to load the response returned from the real server. So the malicious code can never send a post request with the CSRF token in it to pass the server side check.
  

HTTP Cross Origin request and HTTP access control (CORS)

For http content loaded from one domain (protocol, host, port), it may have link to request from a different domain, such as an image, a css stylesheet or script. This is very common usage.

However, when using a script to send a request to a different domain, it will expose a security risk as unlike web link, malicious script code can inject request to server without user's acknowledge.

To avoid sending cross origin request from script, browser on client side enforces HTTP access control (CORS) based on server response. The server response includes the header of
Access-Control-Allow-Origin: *
which indicates the response can be accessed by which domain in a cross-site manner. The Access-Control-Allow-Origin header should always include the request's Origin header to allow the original web page to access the response, but it can also add another domain into it, or set * to allow all domains to access it.

Note although the server returns the Access-Control-Allow-Origin header to help client to enforce CORS control, it is the browser (not the server) that checks and enforce the restriction. The server will always return the requested resource to client regardless the request data.


Sunday, September 20, 2015

Cordova core plugin list

When creating a cordova project, it just adds the core function to bridge the javascript (cordova.js) API to the native API. And you need to add the cordova core plugins to access native operating system functionality such as the accelerometer, camera, compass, the file system and others. The core plugins are developed by the Apache Cordova team, and are updated and improved with each new version.

You can also add other third party plugins registered at http://plugins.cordova.io/npm/index.html to your project, but you need to be careful about the quality of the third party plugins, unless they are developed by yourself. So you should always check the core plugins first before looking at third party plugins or implementing a new plugin by yourself.

When searching at http://plugins.cordova.io/npm/index.html, the core plugins has a blue bar at the left as shown below

To make it easy the full core plugin list is added below:

cordova-plugin-battery-status
cordova-plugin-camera
cordova-plugin-console
cordova-plugin-contacts
cordova-plugin-device
cordova-plugin-device-motion
cordova-plugin-device-orientation
cordova-plugin-dialogs
cordova-plugin-file
cordova-plugin-file-transfer
cordova-plugin-geolocation
cordova-plugin-globalization
cordova-plugin-inappbrowser
cordova-plugin-media
cordova-plugin-media-capture
cordova-plugin-network-information
cordova-plugin-splashscreen
cordova-plugin-statusbar
cordova-plugin-vibration
cordova-plugin-whitelist  

Friday, September 11, 2015

Fail to empty trash folder on mac

Sometimes the trash folder is unable to empty for some reason. If it happens, using the below methods to empty it
1. click opt and shift key and right click the trash icon and then select secure empty trash
2. if that does not work, then open terminal, and type
chflags -R nouchg 
with a space after it. Then open trash folder in Finder and select all files and drag&drop files to the terminal to unlock the files
3. Repeat the step 1 again to empty the trash