couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Polzer <ch...@hai-fai.de>
Subject Re: Questions on CouchDB security for Android Devices (and iOS)
Date Fri, 15 Apr 2011 18:32:18 GMT
Well, thanks again, Dale!


Crossposting because on Stackoverflow it is a little bit more in the wide open for everyone...




Regards,
Chris



On 15.04.2011, at 20:24, Dale Harvey wrote:

> Hey, Cross Posting the stack overflow reply
> 
> The short answer is that on Android CouchDB has no security.
> 
> CouchDB provisions itself an admin user / password, you can ask the
> service to provision you a database to which you are given admin
> credentials, an admin and a reader is set on that database so
> anonymous access isnt allowed and require_valid_user isnt needed.
> 
> However all of the data is then stored on external storage which has
> no security whatsoever, the frontdoor is fairly well bolted but the
> window is wide open, if you have sensitive data then you cannot use
> couch, this is the same for most applications that need to handle any
> sizable amounts of data on android.
> 
> Its worth mentioning that couchdb runs on localhost so the data is
> only sensitive to someone who has access to your device, it doesnt let
> people pick it up from wifi or such.
> 
> Going forward a few things are likely to change, ios requires each
> application to have its own couchdb install and its likely that
> android will follow the same model, this means each application will
> be given gull server admin credentials and can protect their data as
> they wish, once that issue has been fixed I will be looking into ways
> to move the data off the sdcard or secure the data on the sdcard.
> 
> Cheers
> Dale
> 
> On 14 April 2011 14:44, Christian Polzer <chris@hai-fai.de> wrote:
>> 
>> Hi,
>> 
>> I just worked myself through a wiki article and blogposts regarding CouchDB's security
(http://wiki.apache.org/couchdb/Security_Features_Overview).
>> 
>> Now I am wondering how this is done in Android. The Android platforms security is
relying on sandboxing applications, so config files can not be stored every but the app directory
or maybe the sd card attached.
>> 
>> As I learned, server admins are configured in a .ini file and the require_valid_user
settings as well.
>> 
>> I know, that uppon installation, CouchDB is storing a generated server admin with
password to the CouchDB application directory. How about the other configuration files?
>> 
>> Is  "require_valid_user" for example set to true by default( is this not necessary?),
or how is this solved?
>> 
>> Regards,
>> Chris
>> 
>> 
>> 


Mime
View raw message