Security concepts for Jr devs.
One option for keeping your app’s data secure and consistent would be to monitor each and every user. Agents could possibly follow the user outdoors and indoors. And if they misuse the app immediate action can be taken. And while this would work fine developers had to find another option because a privacy and safety issues arise when the user entered the bath.
We were tasked with building our first app and security was the last thing on our mind. Or was it?
One of our early functions was to create a user account but it also needed to prevent duplicate users. To solve this problem we did a check to see if the user was already present in the database. If this evaluated to be true, great, we gave them the ID number assigned the very first time they logged in. In the code below our “if block” fetches the record if found and our “else block” makes a new account if there wasn't a match for that name.
At this point, the saying “devs have super powers” comes to mind. When the user entered their name they were sucked into the matrix, our code. In this matrix the only characteristics they possess are the ones we gave to them. We can even go so far as to assign attributes to the user and keep them hidden. In fact, just by preventing a duplicate record in our database we had actually secured our code. Now we don’t have to worry about agents following our users around.
Below are images from the Blockfolio app. Their token variable does the same job as our name variable. And each is unique in its own app.
Blockfolio doesn’t use usernames. A user should store their token in a safe place in case they need to reinstall the app. Supplying the token to the company means that they can retrieve every coin belonging to the user’s portfolio. Why not use a name for this?
If Blockfolio used names to retrieve portfolio data it would mean that anyone can view your coin holdings if they knew your name. This is a problem without limits so they randomised the access key.
The image above shows the Math.random method in use.
Let’s look at security being used in Ethereum, an app valued over 20 billion USD.
When the user calls the transfer function the network does a check to see if they actually have the funds they are trying to send. Applying these checks means that Alice doesn't transfer funds from Bob’s account and vice versa.
