Secure Development for Mobile Apps

How to Design and Code Secure Mobile Applications with PHP and JavaScript

The Book Available On Amazon

Secure Development for Mobile Apps

不僅可以使水漂浮船,但它也可以下沉 -Not only can water float a boat, but it can sink it also.

Software can cause wealth to flow towards you, problems in software can also cause wealth to flow away from you. Therefore it pays to start right.

Understanding Secure Web Development

The popularity of mobile devices now makes programming mobile applications as critical as programming desktop browser applications were just yesterday. Social media goes hand in hand with being mobile and so the race is on to build better and better apps that do more and more with smaller and smaller screens. This means collecting data from various places in cyber-space, making it look great, and then sending data to various other places in cyber-space. What is this data? Where is it coming from? Where is it going? What is it actually doing? This is the security problem.

Mobile PHP Security moves fast
Headed somewhere fast

Building a mobile application almost always starts first with building a service that speaks HTML to manage the majority of the processing needs to occur, and the mobile app is then the client that renders the layout of this newly organized stream of cool data chaos. It is the job of the developer to know and account for this chaos, and to use all tools at his disposal to tame it into submission. It is a large task. Security depends on doing the correct thing at the right time, consistently, and that is what this book will endeavor to do: To leverage all tools available to help the developer in creating reusable code that is very consistent with security matters.

The goal of this book is to bridge the gap between understanding security problems and creating application designs that incorporate security from the beginning. There are many tools available to a PHP Developer in his fight against security attacks, and some of these tools might not be so obvious. These tools range from the built-in PHP language functions, Object-Oriented architecture constructs, software design patterns, and testing methodologies. Everyone one of these tools are established methods you can trust, and can all be combined in powerful ways to create reusable toolkits that make security an integrated part of the development process and not just an afterthought.

What Other Security Experts Have Said

What we need is a completely new way of thinking. A positive approach to secure programming...That’s why J.D. Glaser’s book is different. It’s about showing programmers the right way to do things.
- Jeremiah Grossman,
CEO WhiteHat Security
Adaptability, and understanding of “why”, which is what JD brings up when talking about security anti-patterns, pointing out towards the mindset, which is also introduced via change of thinking from "Clean, Safe, and Done” to "Reducing Attack Vectors", "Reduced Threats", "Less Vulnerable", "Higher Degrees of Protection” the latter ones pointing out the goals, which then, when followed on the different points of handling data, input can prevent even currently unknown attempts of attacks, the whats, to work.
- Jussi Jakanaho,
Former Chief Security Specialist Nokia,
ToolCrypt Group
Secure PHP Coding
Purchase on Amazon
If you don’t know of him by now you most certainly have used something in IT Security that he has had a direct or indirect influence on. As these defensive design patterns become more pervasive, we may actually see a fair fight in the war of cyber security.  I’m grateful to J.D. for this contribution and I hope this book changes the way you go about building web application systems. -
Tim Keanini,
nCircle Security

Table of Contents

Chapter 1

  1. Introduction to Mobile Security Development
  2. Understanding Secure Web Development
  3. Applying Architecture Tools to Security
  4. Creating Consistent Reusable Code From Project to Project
  5. Mobile Application Using HTML5, AJAX and jQuery Mobile
  6. Mobile App - A Social Mashup
  7. Client Technologies
  8. Client Application Layout
  9. Server Application
  10. Evolution of Security Measures
  11. SQL Injection to XSS to CSRF
  12. Battle For Output Context
  13. New Technologies HTML5
  14. Bad Practices Invite Holes
  15. A New Mindset For Web Application Security -- ONLINE

Chapter 2

  1. The Attack Surface
  2. Attack Vectors
  3. Common Threats
  4. SQL Injection
  5. Cross-site Scripting
  6. Cross-site Request Forgery
  7. Session Hijacking
  8. Defending Input and Output Streams
  9. Theory Of Input Filtering and Output Escaping
  10. Input Validation
  11. Input Filtering
  12. Output Escaping
  13. You Must Know Where Your Data Is Displayed
  14. OWASP XSS Prevention Rules -- Online

Chapter 3 -- READ ONLINE

  1. Security Anti-Patterns
  2. Anti-Pattern #1
  3. Not Matching Data Character Set To Filter Character Set
  4. Misinformation Anti-Patterns
  5. The Mantra Anti-Pattern
  6. Critical Data Type Understanding and Analysis
  7. Single Data Type Anti-Pattern
  8. Validation By Type Process
  9. Input Same As Output Anti-Pattern
  10. The Assumed Clean Anti-Pattern
  11. Improper mysql_real_escape_string() Usage
  12. Filtering vs Escaping vs Encoding
  13. Only One Output Context Anti-Pattern
  14. Lack of Planning Ant-Patterns
  15. Lack of Consistency Anti-Patterns
  16. Lack of Testing Anti-Patterns
  17. Parameter Omission Anti-Pattern
  18. Design Practices Anti-Patterns
  19. No Clear Separation of HTML and PHP Code Anti-Pattern
  20. Too Many Database Function Calls
  21. Misleading Filtering Anti-Pattern
  22. Too Many Quotes Anti-Pattern
  23. Raw Request Variables As Application Variables
  24. Common Direct URL Input Anti-Pattern
  25. Poor Error Management Practices
  26. Poor Cryptography Practices
  27. Poor Cookie Expiration
  28. Poor Session Management
  29. Overcoming Anti-Patterns: Patterns, Testing, Automation

Chapter 4

  1. Essential Security Issues For Every Web Application
  2. A Consistent UTF-8 Character Set
  3. Clean Secure Data
  4. Input Validation: Account for Size and Type
  5. Escape Output: Account For Context
  6. Database Access Pattern
  7. Application Secrets Location Pattern
  8. Error Processing Pattern
  9. Error Logging Process Pattern
  10. Authentication Pattern
  11. Authorization Pattern
  12. White Listing Acceptable Input
  13. PHP Security Design Best Practices Summary
  14. Protect Secret Files/Protect Included Files
  15. Architect Input Validation
  16. Architect Output Escaping
  17. Architect Session Management
  18. Protect User Passwords
  19. Protecting User Session Data
  20. Protect Against CSRF Attacks
  21. Protect Against SQL Injection Attacks
  22. Protect Against XSS Attacks
  23. Protect Against File System Attacks
  24. Proper Error Handling
  25. OWASP Recommendations for PHP
  26. The Checklist
  27. Additional PHP Security Checklist
  28. Disable dangerous PHP functions

Chapter 5

  1. PHP Tools Overview
  2. Object Language support
  3. Abstract Classes, Interfaces, Templates, Strategy, Factories, Visitors
  4. Variable Variables: Power DRY
  5. Native Function support
  6. Encoding Functions
  7. The New PHP Escaping Class and Functions
  8. Header and Redirect Functions
  9. UTF-8 and Multi-Byte Functions
  10. DRY Enforcement Functions
  11. Type Enforcement Functions
  12. Filter Functions
  13. Mobile Functions
  14. Cryptography And Hashing Functions
  15. HTML Templating Support
  16. How To Inline HEREDOC Functions
  17. Best Practices Tips
  18. Issues to Avoid
  19. The Reason for PDO Prepared Statements
  20. Deprecated Security Functions
  21. Modern Crypto VS Old Crypto

Chapter 6

  1. A Complete UTF-8 Setup
  2. Why UTF-8
  3. UTF-8 Advantages
  4. UTF-8 Disadvantages
  5. How UTF-8 Effects Security
  6. Complete PHP UTF-8 Setup
  7. UTF-8 MySQL Database And Table Creation
  8. UTF-8 PDO Client Connection
  9. Manual UTF-8 PDO/MySQL Connection HowTo
  10. This will tell MySQLthat you are sending it UTF-8 data
  11. PHP UTF-8 Initialization And Installation
  12. UTF-8 Browser Setup
  13. Header Setup
  14. Metatag Setup
  15. Form Setup
  16. PHP UTF-8 Multi-Byte Functions
  17. UTF-8 Input Validation Functions
  18. UTF-8 String Functions
  19. UTF-8 Output Functions
  20. UTF-8 Mail
  21. UTF-8 Configuration PHPUnit Testing
  22. Test PHP Internal Encoding
  23. Test PHP Output Encoding
  24. PHPUnit Test Class for Asserting UTF-8 Configuration

Chapter 7

  1. A Working Project Template
  2. Every App Has Some Basic Similarities
  3. The Same Project Structure Issues
  4. The Same Security Issues
  5. A Project File And Layout Structure Template
  6. Project Layout Should Be Handled Consistently
  7. Select Query Wrapper
  8. Separation of HTML Static Resources
  9. The Completely Commented Files
  10. PHP PDO/UTF-8 Security Checklist

Chapter 8

  1. Separation of Concerns
  2. What Is Separation of Concerns
  3. Keep HTML As HTML
  4. Keep PHP out of HTML
  5. Keep JavaScript Out Of HTML
  6. Keep CSS out of JS
  7. Use of IDs and Facades

Chapter 9

  1. PHP and PDO
  2. PDO UTF 8 Connection
  3. MySQL UTF-8 Database and Table Creation Support
  4. PDO Prepared Statements
  5. Prepared Statement Examples
  6. Selecting Data and Placing into HTML and URL Context
  7. PDO SELECT Queries and Class Objects
  8. Quoting Values and Database Type Conversion
  9. PDO Manual Quoting Example
  10. PDO and WHERE IN Statements
  11. White Listing and PDO Quoting of Column Names

Chapter 10

  1. Template Pattern Forces Implementation
  2. Template Pattern Enforces Process
  3. Account Registration Template Part I - Registration
  4. Account Registration Template Part II -Activation
  5. Strategy Pattern for Output Escaping
  6. Escaping Strategy Class
  7. Improved Escaping Strategy Class
  8. The Input Cleaner Class

Chapter 11

  1. Modern PHP Encryption
  2. Using MCrypt For Two Way Encryption
  3. Encrypting Hashed Passwords With BlowFish

Chapter 12

  1. Professional Exception and Error Handling
  2. Configuring PHP Error Environment
  3. Secure php.ini and error log files
  4. Error Options Overview
  5. Production Error Configuration For php.ini
  6. Development Error Configuration For php.ini
  7. PHP Error Level Constants
  8. Exception Handling
  9. Introduction to Exceptions
  10. Trapping All Errors And Exceptions
  11. Converting Errors to Exceptions
  12. ErrorManager Class
  13. Handle Fatal Errors With register_shutdown_function()

Chapter 13

  1. Secure Session Management
  2. The SSL Landing Page
  3. Secure Session Overview
  4. Secure Session Management Checklist -- Online
  5. Session Checklist Details
  6. Setting Configuration And Setup
  7. Detecting Session Tampering
  8. Force Page Request Over SSL
  9. SSL Redirect
  10. Protocol Relative Links

Chapter 14

  1. Secure Session Storage
  2. PHP Default Session Storage Overview
  3. Session Storage Life Cycle
  4. AJAX and Session Locking
  5. Session Management Configuration
  6. Configure Security Before Session_Start() Is Called
  7. Properly Destroy Session
  8. Encrypted Session Storage
  9. Encrypted Session Storage Via MySQL
  10. Creating a Custom Session Handler in MySQL
  11. Class SecureSessionPDO
  12. Class SecureSessionPDO Details
  13. Encrypted Session Storage Via File System
  14. Class SecureSessionFile
  15. Class SecureSessionFile Details

Chapter 15

  1. Secure Forms
  2. Secure User Registration and Login Process Overview
  3. Unlimited Password Length, Unlimited Password Characters
  4. Secure Form Landing Pages Are Over SSL
  5. Secure Form Nonce – Prevent CSRF
  6. Class NonceTracker
  7. Class NonceTracker Listing
  8. Class NonceTracker Detail
  9. Form Input Validation Overview
  10. Registration Form
  11. Registration Form Details
  12. Double Encryption of User Passwords
  13. Account Management Class
  14. AccountManager Details And Authorization Checks
  15. Email Verification And Activation System
  16. Future Proof Encryption Strength With Blowfish Rounds
  17. Secure Password Request Link
  18. Reauthorize On Privilege Elevation
  19. Session Management Class
  20. SessionManagement Details
  21. Secure Logout Details Via SessionManager
  22. Privilege Elevation Protection System
  23. Secure Login
  24. Secure Login Form Details
  25. Protect Pages Via Authentication Check
  26. Secure Logout Page Details
  27. A Secure RememberMe Feature

Chapter 16

  1. PHP UTF-8 Input Validation
  2. Server UTF-8 Validation
  3. Validating UTF-8 Names and Emails Via RegEx
  4. PREG For PHP = PREG For JavaScript
  5. Server Side Regular Expressions
  6. JavaScript Validation VIA Regular Expressions
  7. JQuery Validation Via Regular Expressions
  8. JQuery Password Strength Meter
  9. JavaScript and JQuery Escaping And Filtering
  10. Replace innerHTML with innerText
  11. Embedded HTML HyperLinks
  12. Insecure JavaScript Functions
  13. Preventing Double Form Submission
  14. Post-Redirect-Get Pattern for Form processing
  15. The PRG Pattern
  16. The PRG Directive
  17. Tracking Form Tokens To Prevent Double Submission
  18. Controlling Form Page Caching And Page Expiration
  19. Time Stamping AJAX GET Requests
  20. Constructing Secure GET Request URLs

Chapter 17

  1. Secure File Uploading
  2. Basic Principles of Secure File Uploading
  3. Secure File Uploading To Database
  4. Retrieving Uploaded Images

Chapter 18

  1. Secure JSON
  2. Building Secure JSON Responses
  3. Proper JSON Construction Depends On Array Construction
  4. Safe Array Construction With PDO Records
  5. Send And Receive JSON In PHP
  6. Send JSON From PHP
  7. Receive JSON In PHP
  8. Parsing JSON Securely With JavaScript/JQuery
  9. JQuery JSON Calls
  10. Post and Parse JSON Response Example

Chapter 19

  1. GoogleMaps, YouTube, And JQuery Mobile
  2. Placing Videos Inside GoogleMap InfoWindows
  3. Creating InfoWindow Markers
  4. HTML And JQuery Mobile Layout
  5. Javascript File - gmap.js
  6. HTML Fragments Description
  7. HTML Fragments For InfoWindow
  8. YouTube Elements Description
  9. YouTube HTML Elements
  10. Map Functions
  11. JQuery Form Validation
  12. InfoWindow Marker With Playable Video
  13. Map Marker Database Table
  14. VideoMap URL Table
  15. Data Repository Class - GMapData
  16. Processing Markers
  17. Generating Markers
  18. Inserting And Updating Markers
  19. Preparing Safe JSON Data

Chapter 20

  1. Secure Twitter Proxy
  2. Twitter v1.1 Via PHP
  3. TweetFetcher Class
  4. Fetching v1.1 Tweets Via TweetFetcher
  5. Getting Twitter OAUTH Token
  6. Setting SSL Verification For CURL
  7. Retrieve Latest Tweets From Timeline
  8. Creating And Filtering Hyperlinks From Plain Text
  9. Filtering Bad Tweet Examples
  10. Examples of Secure Processing With processTweet()
  11. Using TweetFetcher

Chapter 21

  1. Secure AJAX Shopping Cart
  2. JQuery Mobile Store
  3. The Mobile Store
  4. Add Items To Cart
  5. Remove Items From Cart
  6. Making The PayPal Purchase
  7. Beginning The PayPal Transaction
  8. Securely Posting To PayPal
  9. Completing the PayPal Purchase

Chapter 22

  1. Common Facebook Canvas Vulnerability Points
  2. Saving Facebook RealTime Updates VIA PDO
  3. Reflecting JSON Coordinates
  4. Reflecting Messages
  5. Reflecting URLs
  6. JavaScript and JQuery Filters
  7. JSONP Precaution

Secure Mobile PHP Development
Purchase on Amazon
上級醫生預防疾病;平庸醫生照顧即將到來的疾病;下級醫生治療實際的疾病 - The superior doctor prevents sickness. The mediocre doctor attends to impending sickness. The inferior doctor treats actual sickness.

There are many topics covered in the 420 pages of this book, along with many hard won tips to help you save time and create secure apps.

I hope you will have the confidence to purchase my book, and that it proves helpful to you.

Thank you.