security - How to restrict Chrome Apps to only work on specific computers? -

-

i'm developing pos client using chrome (packaged) apps. run locally on installed computers , interact server via web service. app should run on specific computers @ stores.

i know can go each store , install .crx file in case don't have publish app chrome web store. however, want published chrome web store can take advantage of auto-updating feature.

what should make sure app can run @ stores' computers? (i can go the stores , setup needed @ first installation).

options have thought of:

  1. create secret key , enter app @ first time of running.
  2. build small tool (winforms application) generate time-based tokens , install on computers. staff need enter token each time opening app.

any better idea how accomplish this?

you said app needs talk web service work. that's key simple approach. (assume don't care whether staff acquires nonfunctional copy of client app.)

  • at startup, app checks existence of validation of kind stored in chrome.storage.local. if exists, startup continues.
  • if validation missing, app checks existence of guid stored in chrome.storage.local.
  • if guid missing, generate , store 1 using window.crypto.getrandomvalues().
  • ask server validation sending guid , getting response.
  • if validation comes back, save in chrome.storage.local , go start of sequence.
  • otherwise tell user lost.

a full-strength version of approach have additional features:

  • use hmac(guid, secret) validation. i'm assuming staff aren't tech superstars, simple boolean suffice.
  • optionally add per-launch step sends guid , validation , confirms it's still valid each time.
  • when validation requested, might prompt secret key mentioned in question. in normal cases needed @ provisioning time.
  • in case haven't figured out yet, server acting simple licensing server, it's decide how decide whether validation request succeeds. maybe allows n validations exist @ once, or after you're done provisioning hardcode future validations fail. maybe limits validation requests ip addresses. choose.

that's gist. it's simple drm system easier manage enter-secret-at-installation method, won't withstand attack of more 30 minutes (since smart attacker inject machine's guid , hmac validation duplicate machine's chrome.storage.local).


Comments

Post a Comment

Popular posts from this blog

PHPMotion implementation - URL based videos (Hosted on separate location) -

-
i have implement video collection website users of specific isp. site hosted on public web-server movies hosted on local isp server. user of isp + general visitors can see available movies; isp's users able play them. player on site point url of local machine ( http://192.x.x.x/movies/mymovie.mov ) private class (192.x.x.x) accessible isp user. question: possible phpmotion script? or need custom work. if possible, can please suggest available mods? phpmotion require modifications able handle this. uploading, conversion, thumbnail generation, , playback pretty static in phpmotion. really though, rather modding entire upload , conversion process, if created quick custom form add entries phpmotion database (maybe include thumbnail upload), tweaked playback paths, should go on phpmotion side of things. assume had videos in format player handle (such flv or mp4).
Read more

javascript - Using Windows Media Player as video fallback for video tag -

-
getting video play cross platform using example video.js bit of fuss. in days when video should embedded use embed windows media player, work out of box on windows. since it's today old ie on windows doesn't support video tag experimented using windows media player fallback, , work well. what wonder here is, why haven't else solution? have missed something? code small, there's no flash files, cross domain issues or need of server working. works. so before develop further , add custom control , subtitles support wonder say. the code looks this: <video id="myvideo" style="width:640px; height: 360px;" autoplay data-wimpsource="http://esd.volvocars.com/dc/cdn/video/birds-on-a-wire.mp4"> <source src="http://esd.volvocars.com/dc/cdn/video/birds-on-a-wire.mp4" type="video/mp4" /> <source src="http://esd.volvocars.com/dc/cdn/video/birds-on-a-wire.webm" type="video/webm" />
Read more

c# - Unity IoC Lifetime per HttpRequest for UserStore -

-
i'm trying clean default implementation of accountcontroller.cs comes out of box in new mvc5/owin security implementation. have modified constructor this: private usermanager<applicationuser> usermanager; public accountcontroller(usermanager<applicationuser> usermanager) { this.usermanager = usermanager; } also, have created lifetime manager unity looks this: public class httpcontextlifetimemanager<t> : lifetimemanager, idisposable { private httpcontextbase _context = null; public httpcontextlifetimemanager() { _context = new httpcontextwrapper(httpcontext.current); } public httpcontextlifetimemanager(httpcontextbase context) { if (context == null) throw new argumentnullexception("context"); _context = context; } public void dispose() { this.removevalue(); } public override object get
Read more