LiveCode Forums.

If I wanted to make an app that contained customer account information and other relatively secure information, what kind of server would I use? What language would be best? How would I go about setting up this server space?

I greatly encourage anyone to post on this for my knowledge of servers is still a work in progress

Any answer you get will be deeply colored by the posters personal preferences.

There's no "best" language to use.

And here's my answer:
I'm a ColdFusion CFML developer, and I've used those skills to create a server back-end using sockets to talk to my LC apps.

CFML comes with sockets built in, and is easy to work with, making my server talk with my LC app was easy once I got some pointers from people here on the forum.

The question becomes: Are you willing to learn a new programming language to create the server back-end, or do you want someone else to create it for you?

If you're willing to learn a language, you can pick anything from C to CFML, from Python to PHP.

Personally I learned CFML to become a web application developer, not that long ago I started learning LC and it was natural to simply connect the two.

It really comes down to: How much time are you willing to spend? How much money are you willing to spend?

Depends on the data, the frequency, the endpoint, the service, etc. We're gathering and sending light amounts of data, periodically, from 100k+ phones over cellular networks. We put the data into JSON format, encrypt it, and auth the server before sending it. Depending on how many concurrent users you have and their geographic location, I'm guessing not too many, you may need geographic distribution of your servers so you have multiple points of presence for the end user which peer back to the actual server along preferred/low latency routes.

Like trenatos said, it depends.

Hi William,
I'm going to take about a dozen steps back from the previous replies.
This is a liveCode forum... so you should use liveCode.

These are not medical records right? (If someone could remind me what is that requirement called? HVAC?.. no that air conditioning or something ).

Get any reputable hosting service. Encrypt the files using LC and post them to the server. Really easy. Even if someone cracked your server without your decrypt key they would end up with gibberish. Now if they had the end user app with the decrypt key then you have a problem. But thats is about end user security not the particular server type.

Hmmm... now thinking about my Visa card number... would I trust LC?
Heck Yeah!
Again it would be my poor password/security procedures that screwed things up.

Simon

Thinking in the terms of the last poster, let's keep it LiveCode!

LC can create Linux binaries, so your best bet would be to get a VPS (Virtual Private Server) and create an LC based server back-end!

Use sockets and encrypt everything, hash passwords and include hacking-detection/counters.

Doing it this way, you'll stick to just LiveCode for the whole setup, though of course you'd have to learn a bit about Linux, or you could shell out a few $ more per month and get a Windows based VPS.

This approach makes the whole thing about your skill as a LiveCode programmer.

Hi trenatos,
As this is posted in the "Complete Beginners" forum and I really just know LC, what is a socket to you? To me it's just an LC post command.
Really, I'm not trying to be difficult... Is an LC "Post" the same as a socket to you?

I admit I know nothing about CMFL, also, can a VPS help when the data is uniquely encrypted prior to posting? I'm eager to learn.

I think that if data is encrypted at the source (user) and then posted to a server, all the cool net security is unnecessary.
Trust me, I can be sooo way wrong on this. I'm not a net cipher guy.

Your answers will help me in my own apps.

Simon

I hate being the bringer of bad news, but if you're that new to programming, making a secure networking app is not your best shot, unless you can get an experienced programmer to guide you the whole way.

About sockets: http://compnetworking.about.com/od/itin ... 83100a.htm

VPS (This is simplified quite a bit) means Virtual Private Server.

The "Virtual" part is because you share hardware with other VPS instances.

Each instance is as far as it knows, its own machine.

Running a VPS is pretty much the same as running your own machine on the internet, and connecting to it through the network/internet to maintain and set it up.

So a VPS just lets you run an operating system, nothing more.

You can run Linux and Windows on most VPS systems, Linux the most common but Windows a bit easier for a beginner but costs a bit more per month.

As for encryption, I'm not a cryptological expert but I do use it in my work as a professional programmer.

If you're encrypting the data before sending it and using secure keys, you don't need to encrypt the traffic in other ways, unless you're really paranoid or handling VERY sensitive data.

Dealing with the data on the server has nothing to do with the VPS, remember that's just a computer on the 'net, but has everything to do with the server software.

The server software takes the data, decrypts it, and acts on the information.

My honest opinion is this:
Learn how to do it locally first, make a few "real" programs from start to finish. (By real, I mean not examples, tutorials, or mini-anything, but full applications) with encryption and user details.

A decent start would be to make the classic phone-book program, writing and reading individual records from an encrypted file or database.

When you have that down and working, and preferably looked over for security by an experienced programmer, THEN you could look at networking, and then you start small and simple, make a chat program, make a mini-game like the old tank-battle games, once you have it working, add encryption, THEN you can look at writing server software.

I'm really not trying to extinguish your enthusiasm, but the reality is that a secure networked app handling sensitive data, is much beyond beginners, UNLESS they have an experienced programmer there to help them and survey their code through the whole process.

Ah, I think I can see now the different "reads" we took of the OP.
I didn't think that the server would do anything but store the information not act on it. If it is just to store then the process isn't really that difficult in LC: Using that will secure the info prior to posting. The decrypt is pretty much the same.

Oh, I see... it could be a database

I guess the OP should follow up their post.

Simon

Preferably you'd use a dynamic key that's set when you connect, that way if someone hacks the software, it won't help them to get access to any data.

It's also important to protect the server from hacking attempts, for example if the connecting software does not follow a certain criteria, or connects more than once per second, the server refuses further connections. (This helps protect from bruteforce attacks)

Also store the last used key, if someone's trying to authenticate twice with the same key then block the connection since it's probably a replay-attack.

You can sniff the network traffic, and thus see the first message sent, which is often the authentication, so let's say someone captures the authentication, they could then replay that to the server, thus authenticating without knowing the password, after that they send info as normal.

A simple RESTful API over HTTPS seems to satisfy banks and stock traders. A bonus for that approach is that tools are plentiful and well known, and it keeps a good separation between client and server.

That's an incomplete statement though.

What parts of the systems do they think is ok to transfer using just SSL?

How many of those systems have actually been audited?

We know from history that bank software has been a lot more insecure than they like to say.

But then again, SSL and RESTful is just *another* solution, just as LC to LC using software encrypted data.

It just shows that there is no single solution, it all comes down to what the programmer(s) are comfortable working in and if the client is happy with what they produce.

In the end, individual solutions, programming languages, encryption schemas and so on are just minutia.

Ask 10 programmers to come up with a solution, and you'll get 10 different solutions.

trenatos wrote:It just shows that there is no single solution, it all comes down to what the programmer(s) are comfortable working in and if the client is happy with what they produce.

Bingo. Since the OP merely asked for "relatively secure", I figure just dropping a cert on the server and using HTTPS will cover what's needed there.

If there's anything we've learned from NSA/PRISM, it's that the tech is the smaller part of the security problem; the bigger problem is wetware, like not giving access to the world's most sensitive information to a three-month contractor with few if any credentials.

Hehe, you have a point.

The only truly secure solution is to not even try.

The second best solution is to assume that anything you put in place will be circumvented, ergo you place secondary and third layer protections, both from inside and outside attacks.

That is a great idea Simon. It looks like I will use Livecode Server and if I need to step up security in the future then I will go the RESTful API over https route and outsource that to someone else. So far I am a beginner in Livecode (hence the name of the forum) and only know the Livecode language so that is great to know that it includes security good enough to entrust your credit card information. I would like to know more about the specifics in case I had to explain that to someone in the future but for now I will do my best to learn the system. I know absolutely nothing about servers or Livecode Server except the links that were posted in this topic.

I do not mind paying more for the windows VPS as that is the system that I am most familiar with and the most widely used. Now that we got that established, any advice on the direction I should take in building the back end of my app? Where to rent server space, how to set up a windows VPS, how to use sockets, hash passwords, encryption tools, detection counters, etc.

Not looking for a well written essay, but some helpful links or anything you found useful when you were learning to help point me in the right direction would be great!

Thanks guys! And sorry for not responding earlier my Livecode partner split his skull open this past weekend and haven't had much time to get on the computer lately with all the nurses coming in every 15 minutes. We are out of the ER now and things are settling down so back to programming

Hey William you're in PA!
Maybe we could get together at Rudys for a drink? I'm currently here.

Simon