4 Replies Latest reply on Apr 8, 2014 8:48 AM by janslort

    Securing the Adminstrator password in distributed applications.

    janslort

      I have been distributing FMP 12+ aplications to clients to use for mailing lists and a Go POS application to run on Tablets. The clients subscribe to my Update and customization service for a small monthly fee. I "Brand" all output forms and reports with their name and address. This "Branding" is controlled by me through the Administrative password priveledge. Presumably this would protect my product from being copied and given to other businesses who are not authorized my me (and who don't pay).

       

      I recently learned that there are commercially available password "recovery" programs that for <$40.00 will reveal the Administrator Password to the user of my program, allowing them to change it at will. I can't use the "Runtime" developer tool to create my solution because it is for a single user only so my clients won't have the usability they require. "Server" is too costly for my small clients. If I Host the files on "Server" for my clients, can they also access their files on the IPad? Are there other alternatives ?

       

      Jan

        • 1. Re: Securing the Adminstrator password in distributed applications.
          taylorsharpe

          Not only are there such programs, but it is a service that even FileMaker used to offer.  So far none of them work on .fmp12 versions.  So if you are developing on .fp7 file format, you are vulnerable.  I see that the www.password-service.com site claims they can now recovery fmp12 passwords.  Any database that is recovered can be corrupted in the process, so work from a copy if you need to do this. 

           

          Basically, you are protected if you use FMS and have control of access to the actual file at the OS file structure level (e.g., Windows Explorer or Apple Finder).  They cannot hack these files without access to the OS level file.  So physical control of your files and backups is important to keep this from happening. 

           

          Your situation is that you are distributing runtime solutions and by including the Admin password privilege, you are going to be vulnerable to such hacks. 

           

          FileMaker is moving away from runtime solution support.  I don't even remember a single session on runtimes at the last couple of Devcons.  The current direction of database solutions are cloud solutions over the internet. You may need to rethink your marketing approach and maybe consider a hosted solution that they use the iPads/iPhones to connect to over the internet. 

           

          There probably are other ways to lock things down more with hardware keys or tieing the solution to a persistent ID.  You may just want to take the risk that a few solutions may be hacked or look more into hosted solutions. 

          • 2. Re: Securing the Adminstrator password in distributed applications.
            wimdecorte

            You can distribute the files without making them a runtime and take away the admin access to the files from the Developer Tools.

            1 of 1 people found this helpful
            • 3. Re: Securing the Adminstrator password in distributed applications.
              Mike_Mitchell

              Another option you can look at (besides purchasing a Server license) would be a hosting service. There are several available (www.pointinspace.com, www.triple8.net are a couple).

               

              But Wim is right: The only truly "safe" way to distribute a file where the user has access to it is to remove the admin account.

               

              Mike

              1 of 1 people found this helpful
              • 4. Re: Securing the Adminstrator password in distributed applications.
                janslort

                Thanks Wim & Mike:

                 

                My plan to make small changes or layout adjustments by having access to the cient's copy (Via Join.Me) must change to making the changes on my copy for them and sending them a new file, without the admin PW.  Taylor Sharpe joins both of you in that the only really secure way is using a server, thereby hosting the files myself, or using a hosting service. 

                 

                Thanks all for the help.

                 

                Jan