incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Harvey <d...@arandomurl.com>
Subject Re: Questions on CouchDB security for Android Devices (and iOS)
Date Fri, 15 Apr 2011 18:24:28 GMT
Hey, Cross Posting the stack overflow reply

The short answer is that on Android CouchDB has no security.

CouchDB provisions itself an admin user / password, you can ask the
service to provision you a database to which you are given admin
credentials, an admin and a reader is set on that database so
anonymous access isnt allowed and require_valid_user isnt needed.

However all of the data is then stored on external storage which has
no security whatsoever, the frontdoor is fairly well bolted but the
window is wide open, if you have sensitive data then you cannot use
couch, this is the same for most applications that need to handle any
sizable amounts of data on android.

Its worth mentioning that couchdb runs on localhost so the data is
only sensitive to someone who has access to your device, it doesnt let
people pick it up from wifi or such.

Going forward a few things are likely to change, ios requires each
application to have its own couchdb install and its likely that
android will follow the same model, this means each application will
be given gull server admin credentials and can protect their data as
they wish, once that issue has been fixed I will be looking into ways
to move the data off the sdcard or secure the data on the sdcard.

Cheers
Dale

On 14 April 2011 14:44, Christian Polzer <chris@hai-fai.de> wrote:
>
> Hi,
>
> I just worked myself through a wiki article and blogposts regarding CouchDB's security
(http://wiki.apache.org/couchdb/Security_Features_Overview).
>
> Now I am wondering how this is done in Android. The Android platforms security is relying
on sandboxing applications, so config files can not be stored every but the app directory
or maybe the sd card attached.
>
> As I learned, server admins are configured in a .ini file and the require_valid_user
settings as well.
>
> I know, that uppon installation, CouchDB is storing a generated server admin with password
to the CouchDB application directory. How about the other configuration files?
>
> Is  "require_valid_user" for example set to true by default( is this not necessary?),
or how is this solved?
>
> Regards,
> Chris
>
>
>

Mime
View raw message