Questions on CouchDB security for Android Devices (and iOS)

[Christian Polzer <ch...@hai-fai.de>]

Hi,

I just worked myself through a wiki article and blogposts regarding CouchDB's security (http://wiki.apache.org/couchdb/Security_Features_Overview).

Now I am wondering how this is done in Android. The Android platforms security is relying on sandboxing applications, so config files can not be stored every but the app directory or maybe the sd card attached.

As I learned, server admins are configured in a .ini file and the require_valid_user settings as well.

I know, that uppon installation, CouchDB is storing a generated server admin with password to the CouchDB application directory. How about the other configuration files? 

Is  "require_valid_user" for example set to true by default( is this not necessary?), or how is this solved? 

Regards,
Chris

Re: Questions on CouchDB security for Android Devices (and iOS)

[Christian Polzer <ch...@hai-fai.de>]

Well, thanks again, Dale!


Crossposting because on Stackoverflow it is a little bit more in the wide open for everyone...




Regards,
Chris



On 15.04.2011, at 20:24, Dale Harvey wrote:

> Hey, Cross Posting the stack overflow reply
> 
> The short answer is that on Android CouchDB has no security.
> 
> CouchDB provisions itself an admin user / password, you can ask the
> service to provision you a database to which you are given admin
> credentials, an admin and a reader is set on that database so
> anonymous access isnt allowed and require_valid_user isnt needed.
> 
> However all of the data is then stored on external storage which has
> no security whatsoever, the frontdoor is fairly well bolted but the
> window is wide open, if you have sensitive data then you cannot use
> couch, this is the same for most applications that need to handle any
> sizable amounts of data on android.
> 
> Its worth mentioning that couchdb runs on localhost so the data is
> only sensitive to someone who has access to your device, it doesnt let
> people pick it up from wifi or such.
> 
> Going forward a few things are likely to change, ios requires each
> application to have its own couchdb install and its likely that
> android will follow the same model, this means each application will
> be given gull server admin credentials and can protect their data as
> they wish, once that issue has been fixed I will be looking into ways
> to move the data off the sdcard or secure the data on the sdcard.
> 
> Cheers
> Dale
> 
> On 14 April 2011 14:44, Christian Polzer <ch...@hai-fai.de> wrote:
>> 
>> Hi,
>> 
>> I just worked myself through a wiki article and blogposts regarding CouchDB's security (http://wiki.apache.org/couchdb/Security_Features_Overview).
>> 
>> Now I am wondering how this is done in Android. The Android platforms security is relying on sandboxing applications, so config files can not be stored every but the app directory or maybe the sd card attached.
>> 
>> As I learned, server admins are configured in a .ini file and the require_valid_user settings as well.
>> 
>> I know, that uppon installation, CouchDB is storing a generated server admin with password to the CouchDB application directory. How about the other configuration files?
>> 
>> Is  "require_valid_user" for example set to true by default( is this not necessary?), or how is this solved?
>> 
>> Regards,
>> Chris
>> 
>> 
>> 

Re: Questions on CouchDB security for Android Devices (and iOS)

[Dale Harvey <da...@arandomurl.com>]

Hey, Cross Posting the stack overflow reply

The short answer is that on Android CouchDB has no security.

CouchDB provisions itself an admin user / password, you can ask the
service to provision you a database to which you are given admin
credentials, an admin and a reader is set on that database so
anonymous access isnt allowed and require_valid_user isnt needed.

However all of the data is then stored on external storage which has
no security whatsoever, the frontdoor is fairly well bolted but the
window is wide open, if you have sensitive data then you cannot use
couch, this is the same for most applications that need to handle any
sizable amounts of data on android.

Its worth mentioning that couchdb runs on localhost so the data is
only sensitive to someone who has access to your device, it doesnt let
people pick it up from wifi or such.

Going forward a few things are likely to change, ios requires each
application to have its own couchdb install and its likely that
android will follow the same model, this means each application will
be given gull server admin credentials and can protect their data as
they wish, once that issue has been fixed I will be looking into ways
to move the data off the sdcard or secure the data on the sdcard.

Cheers
Dale

On 14 April 2011 14:44, Christian Polzer <ch...@hai-fai.de> wrote:
>
> Hi,
>
> I just worked myself through a wiki article and blogposts regarding CouchDB's security (http://wiki.apache.org/couchdb/Security_Features_Overview).
>
> Now I am wondering how this is done in Android. The Android platforms security is relying on sandboxing applications, so config files can not be stored every but the app directory or maybe the sd card attached.
>
> As I learned, server admins are configured in a .ini file and the require_valid_user settings as well.
>
> I know, that uppon installation, CouchDB is storing a generated server admin with password to the CouchDB application directory. How about the other configuration files?
>
> Is  "require_valid_user" for example set to true by default( is this not necessary?), or how is this solved?
>
> Regards,
> Chris
>
>
>