The RAD Studio XE8 Summer (Northern Hemisphere) and Winter (Southern Hemisphere) of Security!

Posted by on in Programming

The RAD Studio XE8 Summer (Northern Hemisphere) and Winter (Southern Hemisphere) of Security!The RAD Studio XE8 Summer/Winter of Security!

This blog post contains information and links covering secure development topics for Delphi, C++Builder and RAD Studio XE8 developers. You’ll find secure computing introductory topics and starting information for InterBase database, components, libraries, Backend as a Service (BaaS), Cloud, App Tethering and more. Throughout the Summer (or Winter if you live in the Southern Hemisphere), I’ll continue writing about secure topics and showing sample development projects. If you have specific secure development needs, send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

Interbase – security at the database, column and over-the-wire levels.

InterBase® XE7 is a full-featured, high performance, encryptable, multiplatform and scalable relational database for developers who are looking to embed a low-cost, zero admin, lightweight secure database into their cross platform connected applications. With InterBase XE7 you get powerful access control, data change management, disaster recovery and journaling, as well as support for popular database drivers for increased deployment flexibility.

Data security is a hot topic! The loss of data via cyber attacks can lead to loss of customers and reputation, lead to regulatory action, and even expose you to large fines. InterBase is here to help with its flexible on-disk and over the wire encryption capabilities. InterBase also benefits from inbuilt user authentication and security in place wherever your data files reside. Choose to encrypt the entire database or just a critical table or column, and define who can decode that data with powerful role based authentication. InterBase supports both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) encryption.

InterBase Encryption is supported starting with InterBase 2009. InterBase enables you to encrypt information at one or both of the following levels:

  • Database Level Encryption (InterBase encrypts all of the database pages that contain user information).
  • Column Level Encryption (Column-level encryption is more flexible and specific).

Using InterBase Database Encryption you can also encrypt Database Backup Files. For more information about encrypting your data with InterBase, see Data Definition Guide

Security is provided in the InterBase Server, InterBase Desktop and InterBase ToGo editons. To see additional features of each InterBase edition go to the InterBase product editions page at http://www.embarcadero.com/products/interbase/product-editions

Additional links and videos about InterBase database encryption can be found at:

Rise to the Data Security Challenge: Creating Secure Database Applications using InterBase – OnDemand Webinar -http://forms.embarcadero.com/InterBaseSecurityWebinar5-28

Why Database Encryption Matters: Is the NSA reading this? http://blogs.embarcadero.com/stephenball/2013/12/18/why-database-encryption-matters-is-the-nsa-reading-this/ 

 

EMS

EMS (Enterprise Mobility Services) offers a Mobile Enterprise Application Platform (MEAP) that you can host in the Cloud or on the premises, to expose custom REST APIs and enterprise database data. The enterprise data access is provided by the FireDAC data access library.

EMS offers a comprehensive solution including REST API, remote database access, users tracking, and analytics. Compared to a do-it-yourself model, in EMS you have a pre-build server with core capabilities in which you can plug custom packages.

You can create custom packages to expose datasets and plain REST resources, and easily embed the client code to access those resources in mobile and desktop applications.

http://docwiki.embarcadero.com/RADStudio/XE8/en/Enterprise_Mobility_Services

EMS Server Authorization allows you to authorize or deny access to a EMS Resource or a particular EMS Endpoint in an HTTP request. The authorization depends on the credentials used in the HTTP request to the EMS Server.

http://docwiki.embarcadero.com/RADStudio/XE8/en/EMS_Server_Authorization

EMS allows you to use external credentials in your custom plugins to execute login and signup operations in the EMS Server.

http://docwiki.embarcadero.com/RADStudio/XE8/en/EMS_External_Credentials_Support 

 

DataSnap

DataSnap is a RAD Studio XE8 technology for Delphi and C++Builder that allows the development of multi-tier applications, most notably multi-tier database applications. DataSnap offers the possibility to create Client-Server applications that communicate through the Internet, the local network, or the local host.

The main feature of DataSnap is the ability of the Client application to invoke methods that are implemented on a Server. DataSnap automatically generates the necessary interface for the Client to communicate with the Server, containing the prototypes of the Server methods.

DataSnap provides a way for the Client to safely communicate with the Server, using a secured transfer of JSON (JavaScript Object Notation) data content over TCP/IP, HTTP and HTTPS. The ability to define filters at both ends of the communication channel, for encryption and compression purposes, improves the security.

DataSnap provides Encyption filter support for data sent. You can choose PC1 or RSA - In case of using the PC1 encryption filter, the Properties property holds the Key value to use for the encryption. If using the RSA filter, the Properties property holds a list of three properties, UseGlobalKey, KeyLength, and KeyExponent.

Start with the DataSnap Server Wizard. DataSnap Server Wizard provides an easy way to implement a server application using the DataSnap technology. Regardless of the options you select, it creates a ServerContainerUnit that contains a TDSServer component. All the additional components are connected to the TDSServer, having the Server property set to the name of the TDSServer component. If the selected protocol is TCP/IP, the server unit also contains a TDSTCPServerTransport. If HTTP is selected as the communication protocol, the server unit contains a TDSHTTPService component. If HTTPS is selected, then the server unit will contain a TDSHTTPService component configured for HTTPS operations.

http://docwiki.embarcadero.com/RADStudio/XE8/en/DataSnap_Server_Wizard

Additional DataSnap documentation pages:

 

Cloud Application Development

Building cloud based applications also involves security, authentication, storage and more.  RAD Studio XE8 provides several interfaces to cloud systems using the Cloud API runtime libraries with support for Amazon AWS and Microsoft Azure.

http://docwiki.embarcadero.com/RADStudio/XE8/en/Developing_Cloud_Applications

We also provide component interface for Backend as a Service (BaaS) providers Parse, Kinvey, App42 (a separate free download). These BaaS services provide their own secure interfaces for developers for user and device authentication, storage and push notifications.  You can find additional information on their sites.

Sarina Dupont has a series of blog and tutorial posts showing you how to use BaaS providers. Use the following community blog post and tags to find the articles:

 

App Tethering

The RTL provides app tethering components, giving your applications the ability to interact with other applications running either on the same machine or on a remote machine.

Using app tethering, your applications can easily:

The app tethering feature does not depend on a specific transport or protocol, and new transports and protocols can be implemented using the app tethering API. The RTL provides built-in support for IP and Classic Bluetooth connections. IP support includes connecting applications running on the same device.

You’ll find a wide range of App Tethering documentation and tutorials on the Embarcadero DocWiki:

 

HTTP/HTTPS

 

RAD Studio XE8 supports using the Native HTTP libraries on multiple devices.

http://docwiki.embarcadero.com/RADStudio/XE8/en/Using_an_HTTP_Client, http://docwiki.embarcadero.com/Libraries/XE8/en/System.Net.HttpClientComponent

You can also use OpenSSL with your secure applications. http://docwiki.embarcadero.com/RADStudio/XE8/en/OpenSSL, https://www.openssl.org/

 

TurboPower LockBox

TurboPower LockBox 2 (Win32, Win64, Android, OSX) and LockBox 3.5.2 (Windows, Android, OSX) cryptography libraries/components. You can download and install the latest releases for RAD Studio XE8 using GetIt  (Tools | GetIt) menu item in the IDE:

  

Secure C Library

The foremost reason why Secure C Library came into existence was the need for bounds checking for string handling functions in the C Library. There are many functions in the C Library that expect the caller to supply string parameters long enough to hold the result of the operations. When a larger string is written "over" a smaller string, in fact data is written past the end, overwriting other program data. This can lead to "mysterious" failures, as the program has no means of knowing if or when something went wrong.

A typical solution was to try to use strings that were "big enough" but this could lead to two problems: either the result was a waste of space, or the user's "big enough" was not big enough in practice. In addition, buffer overflows can be exploited in order to run harmful code, compromising the security of operating systems and networks.

For many C Run-time Library functions, the Secure C Library introduces extra parameters that are used for bounds checking of character arrays, and data is never written past the end of an array. Besides that, it introduces run-time constraints and the means for the user to set his own run-time violation handling functions. Doing so, the program can know when and where something goes wrong with a character array and can fix the error, or fail gracefully.

http://docwiki.embarcadero.com/RADStudio/XE8/en/Secure_C_Library

 

Windows CryptoAPI

You can always call Windows SDK functionality even if we have not wrapped the API in our RTL or components. Here is the Microsoft SDK URL for CryptoAPI –

Cryptography - https://msdn.microsoft.com/en-us/library/windows/desktop/aa380255(v=vs.85).aspx

Cryptography API - https://msdn.microsoft.com/en-us/library/ms867086.aspx

 

IP*Works! By /n software

Internet components that are provided as part of the RAD Studio XE8 Registered User Downloads.

The full version of /n software’s IP*Works components - A comprehensive suite of components for Internet communications including more than 40 individual components covering every major Internet Protocol. IP*Works! eliminates the complexity of Internet development, providing easy-to-use, programmable components that facilitate tasks such as sending email, transferring files, managing networks, browsing the web, and consuming web services.

You can then purchase their addon packs for SSL, SSH and more at

Registered user download links:

 

Project Indy Internet Components

Project Indy includes a range of components for RAD Studio XE8 supporting a wide range of Internet protocols, clients, servers and more. You can find additional information on our DocWiki about the components and how to secure Indy based network connections:

 

I will be covering additional RAD Studio XE8 secure development topics throughout the summer. Stay tuned for demos and articles on the above topics as well as secure development for REST, SOAP and other web based architectures.

Have a great Summer or Winter depending on which hemisphere you live it :D

 

Tags: Android C++Builder Delphi encryption FireMonkey InterBase iOS OSX RAD Studio Secure Computing Security VCL Windows

Prev
Next

About
Gold User, Rank: 1, Points: 2466
David Intersimone (known to many as David I.) is a passionate and innovative software industry veteran-often referred to as a developer icon-who extols and educates the world on Embarcadero developer tools. He shares his visions as an active member of the industry speaking circuit and is tapped as an expert source by the media. He is a long-standing champion of architects, developers and database professionals and works to ensure that their needs are folded into Embarcadero's strategic product plans. David holds a bachelor's degree in computer science from California Polytechnic State University at San Luis Obispo, California.

Comments

  • DavidI
    DavidI Thursday, 2 July 2015

    Robert - feedback from EMS R&D: emsconsole.dll in the deployment as an ISAPI module supports HTTPS. Addtional EMS deployment information is available on our DocWiki at http://docwiki.embarcadero.com/RADStudio/XE8/en/Installing_the_EMS_Server_or_EMS_Console_Server_on_a_Production_Environment

  • Robert Love
    Robert Love Monday, 6 July 2015

    Thanks for the clarification. Glad to see that EMS is just documentation on the diagram.

    I am required by law to encrypt some data over the wire, regardless if it's behind a firewall or not.

    It would be nice if App Tethering has a built in Asymmetric encryption mechanism, as rolling your own is error prone. Look at Wifi standards and realize that getting it wrong is easier than you might think.

    If you wrap the platforms API in a common library you are not shipping anything with encryption, the platforms will be doing that. So it is a way to get around export restrictions. It also keeps you out of the business of having to maintain the encryption algorithms as the platforms can do that for you.

  • DavidI
    DavidI Thursday, 2 July 2015

    Robert - EMS is a technology meant to be used inside enterprise firewalls and not outside of a company. I think it might already be possible - if so, it will make a great one of my security topic posts and samples. Will ask the R&D team about future support for HTTPS for the console app.

    For App Tethering - you can "intercept" the send and receive of bytes and do whatever you want to Encrypt the data stream.

    Will suggest to Product Management about having a Crypto wrapper RTL for multi-device. Thanks. The only challenge we have (being a US company) is in shipping any encryption technology without an export license. For DataSnap encryption filter we have examples for PC1 and RSA which are not under export restrictions.

  • Robert Love
    Robert Love Wednesday, 1 July 2015

    I am highly interested in security, it's required with everything I do.

    EMS appears to only use http on the server console and that is not secure. Not 100% sure if https is supported. So if diagram is true there is a security design flaw in that system. I am looking at EMS architecture Diagram. http://docwiki.embarcadero.com/RADStudio/XE8/en/Enterprise_Mobility_Services

    App Tethering is not encrypted over the wire. So it's not secure either, and should not be promoted as such. It's a highly effective way to communicate but is subject to a man in the middle attack.

    Every platform you support has a crypto API it would be nice if there was a single wrapper for all of them so we could have a common api.

  • Please login first in order for you to submit comments
  • Page :
  • 1

Check out more tips and tricks in this development video: