Service Workers in Cordova Hybrid Mobile App - javascript

we have done extensive work to determine if there is ANY possible way or hack that anyone has figured out to get service workers working in a Cordova app (not using Ionic)? Ionic actually doesn't work with true service workers either but that's another thread.
Obviously, the service worker has to come from a trusted host 'HTTPS' and our build comes from local host on File:///
We have tried the whitelist plugin, and we are aware there is an iOS plugin (which we don't want to fuss with) until we know we can also get them working on Android. Has anyone found a creative hack to make this work, or has Cordova updated to support this API yet (as it's the future of development)?
Even if you have constructed a hack solution we'd like to hear. Considered using PouchDB to help with offline access but that really doesn't help us run server tasks off the main thread and in the background, additionally we worry it could conflict with SQLite which we also use.
This seems like the last posts on this were quite some time ago so if any Cordova or PhoneGap folks could chime in and help a client-side rendered local host implement these, much appreciated.

Related

Is it possible to run PHP/JavaScript on an Android server?

I've been tinkering to create an Android server now. Not an actual web server though; only one that would be accessible through WLAN connections to share files.
I've managed to build one using Apache HTTP libraries, thanks to this wonderful guide. However, now I wanna set up the game a lil' bit by running some scripts.
The question is, is it possible to do so?
I've tried googling for clues but that one above was the best I could find.

JavaScript Security Risks In Hybrid Mobile App

Let's assume HTML5 web page with (in)appropriate server-side background so that http://www.my-site.com/execute?query="SELECT * FROM Table" gets executed via AJAX and returns results. Not very smart, indeed.
But how about when in context of hybrid mobile app, i.e. HTML5 app inside iOS/Android/WindowsPhone wrapper/skeleton delivered as an application through appropriate store?
Q: Do we consider JavaScript safe when in context of hybrid mobile app?
I would say no.
If somebody looks at your network communication, or maybe if you accidently forget some debug logging, it's probably fairly easy to find out the url.
And the query probably would also work when called in a browser (being mobile or desktop).
Of course you can ask yourself: how popular is your mobile app and would anybody even try to hack it. But I wouldn't bet on that.
Edit: we usually use something like a (REST) API, and the answer from the server is JSON which is then parsed by the client. Don't let anybody be able to type in SQL queries!
A: In terms of "security" on iOS: you can browse the device with e.g. iExplorer. On Android, there are also ways (rooted device or adb). Given the phonegap structure, your javascript would then be located in the "assets_www" folder or similar. So if somebody wants to, he/she can look at the javascript source just like on the web.
It will cause a serious misery.
Once someone finds your AJAX url, they will be able to delete or insert anything into your database.
Reverse engineering of applications is very common, so one will be able to find your AJAX URL very easily once they just decompiled your app. Hybrid mobile apps can be very vulnerable if you think of them like native apps.
Additionally, using proguard will not help securing your html/js source codes, so you'd better just think of them as websites' front-end where all the sources are open, and keep the same level of security.

How to protect source code of chrome packaged app?

If a chrome app can work offline it means that source code is downloaded somewhere.
My question is how to protect it?
The only thing that comes to my mind is minification of javascript code. Is there anything else?
You could try to put most of your app's functionality into a NaCL module. Good luck with that :-)
There is nothing to protect it as all in the web.
But you can add a license text ;)
–––––
Update:
you can try to use snapshot if you use the nw.js
Javascript is downloaded to the client machine (and can be manipulated there) for this reason it can never be secure or secret. As you say the best you can hope for is obfuscation.
From google developers FAQ
Can I sell a packaged app?
Yes, but there are risks in doing so.
Specifically, it is easy for motivated people to bypass payments for
packaged apps. This holds true even if you have used our Licensing API
in your locally stored packaged app, since locally stored content is
not secure and can be modified (including calls to the Licensing API).
If you’d like to have the option of blocking access to your app by
unauthorized users, selling a packaged app may not be the right
solution for you. An alternative to consider is moving to a hosted app
model with a server-side licensing check.

Converting Grails web application to offline web application

I've been doing some research on the HTML5 local storage/offline capabilities and I'm beginning to get a better understanding of it. I've been designing a billing application with Grails and I'm just wondering if it is possible to set up a Grails application to be an offline web application, like you can with HTML5 (by utilizing a Manifest file). If so, would it be set up in the same way that you'd set it up with HTML5, or would there be any key differences to make a note of? Also, what is the best way to implement the local storage functionality of HTML5 in Grails? Is there any plugin or framwork available for this purpose . Has anyone ever used this plugin/framework before, and if so, do you know if there are any guides or examples that use it anywhere that would be really able help me get started with it?
I'd appreciate the information on making a Grails app work "offline
Thanks in advance!
I am developing an offline HTML5 app, myself. The biggest difference is that it is a single page rather than many small ones (but it might work that way if you tried it; you would need to be sure it got all the data it needs at startup).
Don't forget to add the application cache mime type to your configuration.
I never thought to look for a plugin for local storage. In my project, the local tables (I'm using WebSQL because it's in Webkit browsers) are different from the domain classes because they have a different function; that is, they have to hold the data for the domain tables untilthe device can sync with the host.
I hope there is something useful here.
Ed

Node.js hosting platform Heroku-like

I want to create something similar to Heroku (first I was thinking in EngineYard-like but I prefer Heroku) for node.js (I know they already support node.). However, It's for a personal project so it doesn't need to be anything overcomplicated or super expensive. I believe I can learn a lot creating a product like this.
Before I start, I have several doubts:
Heroku uses a reverse proxy to receive the requests. However, reverse proxy doesn't work fine with websockets. How can this be fixed?
1 instance supports several dynos. How can an instance be divided by RAM, processing, etc?
I guess if I have an answer to the last questions I'll be able to create a route mesh. However, what can be the tricks here?
Regards.
Donalds
So you want to be a node Paas?
Nodejitsu opensourced their hosting solution: haibu (Japanese for Hive). It's well documented and you'll also get real time support if you hope onto #nodejitsu on efnet irc network.
As a user of their service, I can vouch for the simplicity of the solution. You use their client jitsu to provision, configure and deploy the applications. Applications are watched over by their tweaked version of forever.
Go for the simplest possible implementation.
Use HAProxy, Apache Traffic Server or
mongrel2 as your reverse proxy. They
all support the HTTP 1.1 protocol and
should work with websockets.
Don't worry about limiting resources.
Also don't worry about a routing mesh.
Just update and reload the
config on your reverse proxy any time
you're spinning up a backend process.
Good luck.

Categories