Is it possible to encode VB desktop app url

Fischer · June 14 2013

I have a little to no experience in vb, someone needs my help, and i don't know if i can help in the first place.

So I'll try to explain the problem i'm facing, a server runs a php app, a vb runs on the desktop, it acts like a web browser, it is meant to communicate with the php application. The user should not be able to see the url of the page.

The programmer who created the system didn't bother creating a rest api, nor securing the server, nor forcing https.

So lets take this example: the php application opens example.com/foo
the page is displayed inside the vb application. The user should never be able to see the url.

The creator of the app thinks the problem is with the php app and wants me to rewrite his entire server side app, but i'm kinda lazy these days, and i think the problem is solved if you can encrypt the request and create a rest api. But can you?

I don't think the problem is with the php, i think the problem is with the client app, you can't create an app that acts like a web browser and expect it to encode the url. So rewriting the server side is a waste of time. Am i right or wrong? i don't have experience with vb so I'm asking just to make sure.

i know that encryption have to be done on both sides, one side encrypts, the other decrypts, but is there a quick solution, so you don't have to rewrite everything? that's my question.

And the url is currently invisible but with some programming skills you can see it.

Last edited by Fischer (June 14 2013)

rolf · June 15 2013

Your description is quite confusing.
You have a "vb" (a vb what? a script?) which calls a server, which executes a PHP script... which opens another address?
What is the aim of all that? Maybe that would help understanding. And who coded what?
I'd really like to help but I don't like giving advice when I'm not sure that I understood the problem.

PS: I understand you have access to the server, so why don't you just set up HTTPS and have that serve the PHP app... would that solve your problem?

Last edited by rolf (June 15 2013)

Fischer · June 15 2013

i don't have access to the server. The creator of the software asked for my help to rewrite the server side application using django, but i don't think it will work without rewriting the client as well. So I'm here asking if there a quick fix rather than recreating the whole system.

The server side php application, tells the visual basic application sitting on the desktop to open a url.
the visual basic application acts like a web browser, it shows you the web page.
The user should not be able to see the url, it has to be encoded.
https will not solve the problem.

I didn't code anything, some guy wants to hire me to fix that mess. I can't give more details since it's not my project, besides i don't have too much information, i haven't seen the source code, and i don't have access to the server.

Last edited by Fischer (June 15 2013)

venam · June 15 2013

--

Last edited by venam (July 31 2013)

Fischer · June 15 2013

venam, if you were in my place, what would you do? I'm thinking not to accept the project, since even after rewriting the whole thing, it just won't work

venam · June 15 2013

--

Last edited by venam (July 31 2013)

Joe · June 15 2013

Fischer I didn't understand at all what you're going for.

However, do you realize how difficult it would be to have the client contact the server without knowing its url? This has nothing to do with securing the server, HTTPS, VB, PHP or REST. It would be like sending something through the mail without knowing the address of your recipient.

That being said, with a clever play of redirection and a few servers acting as middleware between your client and your endpoint, you devise a scheme that would obfuscate enough your target url so that it's practically impossible to know where the end data is ultimately headed. However the client (the VB program) needs to know at least the first address to connect to. How does it connect to the PHP server in the first place?

What I understand it's doing now

    +-----------+                        +-----------+
    |           +---+1.request+----------> known URL |
    | client    <---+2.secretURL+--------+           |
    |           |                        | PHP server|
    +-----------+                        +-----------+
                |
                |
                |
                |
                |                        +-----------+
                |                        | unkown URL|
                +---+3.request+--------->|           |
                                         | secret!   |
                                         +-----------+

Why don't you try doing this?

 +-----------+                        +-----------+                    +-----------+
 |           +---+1.request+----------> known URL +-----+2.getHTML+--->| unkown URL|
 | client    <---+4.forwardHTML+------+           <-----+3. HTML+------+           |
 |           |                        | PHP server|                    | secret!   |
 +-----------+                        +-----------+                    +-----------+

The user will most likely never get access to unkownURL, but it needs to know known URL.

Obviously the schema is a small simplification, and your business case might be more complicated than that. But the point is, you should never implement this sort of obfuscation client-side. It's absolutely useless. (That's the first rule of web security. You would think that by now you won't come across client-side data validation anymore!)

Fischer · June 15 2013

One thing that I find hard to understand is how the web-application controls the desktop application. Is the desktop application always running and listening on a port or scrapping some data until a certain event?

Yes that's true, ping every 10s to check the connection.

ok guys, i don't know if i'm allowed to do this, i'm gonna tell you what the app is supposed to do.

it's kinda like adsense, but not on webpages, instead, it's a desktop application that runs on your desktop and shows you the ads. So you see?

yes rahmu, you're right, i've seen this method on stackoverflow yesterday just before i asked my question, never tried it before. i'll tell the programmer who created the project about that method. I'm out, I don't want to waste a wonderful summer break on this project.

Last edited by Fischer (June 15 2013)

venam · June 15 2013

--

Last edited by venam (July 31 2013)

rolf · June 15 2013

How can the user "see" the URL?
What part of the URL do you want to hide? Do you want the user not to be able to find the IP of the server or connexion endpoint? Maybe you can look for proxies, public VPNs or look into Tor. This is gonna be difficult...
If you just don't want the user to understand the query part of the URL, then yeah you can encode it or use HTTPS or some other tunnel.
A "regular" user will not know how to capture network packets so this only applies to advanced users. For most users, just not showing the URL in the app is enough.

PS: yes, I would hate to be working on that project either :)

Last edited by rolf (June 15 2013)

Fischer · June 18 2013

@rolf the system will need to be as secured as possible since it's am ad serving platform, money could be stolen. So you never know if your users are advanced users or not. Anyway, I am not going to be a part of this project, it sucks working on a project where your only job is to secure a platform, security is a very big subject, and you'll never stop working on it. Such projects never ends and i'm a student, i am going to take summer courses, i'm avoid being a part of projects like that one, i will not be able to focus on my studies.

rolf · June 18 2013

Good luck :)

LebGeeks

#1 June 14 2013