APP Ficha Treino Musculação (atualizações)

Todos os dados para acesso estão na tela de login

OBS: o usuário Leandro é o Administrador / Professor / Instrutor

3 Likes

Just be aware that your login method is not secure. In less than a minute, I was able to find the username and password for all 5 of your users, including João and José.

5 Likes

Entendo, Pode me dizer como fez ?

1 Like

Huh? @Jeff_Hager anything I need to be aware of?

Jeff is referring to the fact that anyone that knows how to use dev inspection tools can trivially get at Glide user data, if security best practices (as recommended by Glide) aren’t followed.

4 Likes

Entendi, Obrigado pela dica!

I don’t think it’s a good idea to share exactly how to do it at the risk of everybody trying to exploit everybody else’s app. I’m not a hacker by any means, but I do web development as part of my regular job, so as @Darren_Murphy mentioned, I am familiar with using inspection tools to see the underlying workings of websites.

The thing to remember is that Glide’s built in sign in tools do provide proper security for authenticating users before any data is loaded onto the user’s device. That combined with Row Owners guarantees that only the data for the intended user is loaded on the device. In your case, your app is public and all data, including usernames and passwords, is downloaded to the device before a user even attempts to log in using your username and password method. Once the data is on the device, that is where the ‘glide only’ computed columns (such as relations, lookups, if/then, etc.) are computed…and in your case, a user is “authenticated” by entering matching information. Since you have usernames as well a passwords as part of your data, that data is all downloaded to the device and is relatively easy to find in the data stream when inspecting the page.

The result of building your own password sign in process and not using the ones provided by Glide, is that the password is not encrypted and is then transferred and stored as clear text. The largest concern I have is that several of your users could be using the same usernames and passwords that they also use on other websites or for their email account. This puts your users at serious risk for a person with bad intentions to obtain user emails, usernames, and passwords and use that information to hack into many of their other personal web accounts.

I would suggest reading through the 🔐 Security Center - Glide Library to find more information on properly securing your app and data. Row Owners is an extremely good way to secure data and make only the data that’s intended for that user, part of the data stream that’s sent to the user’s device. However, it does require an email sign in with a pin to be used properly.

@Wiz.Wazeer I think your secureSafe app is a little better off as you are still using Glide’s sign in process along with Row Owners, so only the data for the signed in user is loaded on the device, but I would still have some concerns with the passwords and pins being stored as clear text for the same reasons as above.

5 Likes

Ok. Ficou bem esclarecido quanto ao fato, Grato!

2 Likes

Very informative. Thank you for this @Jeff_Hager and @Darren_Murphy. Thankfully I changed the text to numbers and implemented additional measures.

1 Like

Fiz alteração Colocando o primeiro acesso de login com e-mail o quanto isso me traz de segurança?