I was recommended to come here, by some knowledgeable folks on a Filemaker Pro forum.

So, I'm using some older versions in an active filemaker solution (FMPA 13, 14, 15), and need to enhance some security features.

 
This is within a database solution that's 'in the wild', on customers' Macs around the world. We don't really want them being able to view certain encrypted data nuggets (which may need to be sent back & forth via email).  And for certain other reasons, we can't force an upgrade to a different database version (with built-in encryption)..

 

So, to accomplish this, I use Applescript to pass data from a field into an openssl shell for encryption, then put results into an encrypted data field..

 

Calculated AppleScript here:

"property targetCell: \"cp_thisismyencrypteddatafield\" ¶

set theResult to do shell script \"echo " & cp_thisismydatasourcefield & " | openssl aes-256-cbc -k thisisMYP5SSW0rd! -base64\" ¶

copy theResult to cell targetCell of current record"

 

So, this work perfectly well, in that I'm able to pass both data and a password into openssl for encryption, and pass back.

 

My concern is this: is this action visible to prying eyes?  I've been given multiple conflicting answers from multiple 'experts', but would really appreciate someone who actually **IS** an expert to confirm or deny the security of this..

 

I thought perhaps I could see the command thru ./bash_history, but it doesn't show up.. Nor does it in any console logs that I can find... nor in 'history' (as either a user or as root). Some folks have said that a 'do shell script' (being non-interactive) is shielded from bash history...

 

But all of this is moot without something definitive - I am concerned that a well-informed hacker can perform some level of 'ps aux' at some point and actually see (or log) that shell script going by... is that so?

 

1. IF it can be logged or viewed, how?  Can I replicate that action (to prove/disprove it)?

2. IF it can be viewed, is there another (better) way to do this, without any plug-ins (yeah, i'm biased against 3rd party plug-ins), which would hide it from sight/log?

3. IF it IS hidden, (but I created a variable  - theResult), is theResult visible anywhere (or could someone simply dump that variable into plaintext somehow)?  Or does that variable self-flush when I end the script?

 

Thanks for any definitive clarity on this!

On Dec 28, 2017, at 09:48 , davew@... wrote:

I was recommended to come here, by some knowledgeable folks on a Filemaker Pro forum.

So, I'm using some older versions in an active filemaker solution (FMPA 13, 14, 15), and need to enhance some security features.


This is within a database solution that's 'in the wild', on customers' Macs around the world. We don't really want them being able to view certain encrypted data nuggets (which may need to be sent back & forth via email). And for certain other reasons, we can't force an upgrade to a different database version (with built-in encryption)..


So, to accomplish this, I use Applescript to pass data from a field into an openssl shell for encryption, then put results into an encrypted data field..


Calculated AppleScript here:

"property targetCell: \"cp_thisismyencrypteddatafield\" ¶

set theResult to do shell script \"echo " & cp_thisismydatasourcefield & " | openssl aes-256-cbc -k thisisMYP5SSW0rd! -base64\" ¶

copy theResult to cell targetCell of current record"


So, this work perfectly well, in that I'm able to pass both data and a password into openssl for encryption, and pass back.


My concern is this: is this action visible to prying eyes? I've been given multiple conflicting answers from multiple 'experts', but would really appreciate someone who actually **IS** an expert to confirm or deny the security of this..


I thought perhaps I could see the command thru ./bash_history, but it doesn't show up.. Nor does it in any console logs that I can find... nor in 'history' (as either a user or as root). Some folks have said that a 'do shell script' (being non-interactive) is shielded from bash history...


But all of this is moot without something definitive - I am concerned that a well-informed hacker can perform some level of 'ps aux' at some point and actually see (or log) that shell script going by... is that so?


1. IF it can be logged or viewed, how? Can I replicate that action (to prove/disprove it)?

2. IF it can be viewed, is there another (better) way to do this, without any plug-ins (yeah, i'm biased against 3rd party plug-ins), which would hide it from sight/log?

3. IF it IS hidden, (but I created a variable - theResult), is theResult visible anywhere (or could someone simply dump that variable into plaintext somehow)? Or does that variable self-flush when I end the script?


Thanks for any definitive clarity on this!

Dave, you will not be able to see the command in your Terminal.
do shell script does not use Terminal to send it commands, so it is sheltered from Terminal’s command history.
However, thisisMYP5SSW0rd! is legible in the script, meaning if you “open” the script on a text editor, it will be there for everyone to see.
There was a big discussion here and Shane managed to break all the passwords.
May be something has changed, but I don’t think so.

I am thinking of a way to save passwords securely on an AS, but haven’t worked on that yet!


Deivy Petrescu
applescript@...

On 30 Dec 2017, at 9:46 am, Deivy Petrescu <applescript@...> wrote:

However, thisisMYP5SSW0rd! is legible in the script, meaning if you “open” the script on a text editor, it will be there for everyone to see.
There was a big discussion here and Shane managed to break all the passwords.
May be something has changed, but I don’t think so.

There is a way around that issue: stop the script from storing its properties and top-level variable values. That means doing something like changing its privileges, code-signing it, or even using a top-level ASObjC variable. Of course that assumes the script doesn't otherwise rely on property persistence.

I am thinking of a way to save passwords securely on an AS, but haven’t worked on that yet!

Store it in a keychain?

--
Shane Stanley <sstanley@...>
<www.macosxautomation.com/applescript/apps/>, <latenightsw.com>

On Dec 29, 2017, at 6:02 PM, Shane Stanley <sstanley@...> wrote:

On 30 Dec 2017, at 9:46 am, Deivy Petrescu <applescript@...> wrote:

However, thisisMYP5SSW0rd! is legible in the script, meaning if you “open” the script on a text editor, it will be there for everyone to see.
There was a big discussion here and Shane managed to break all the passwords.
May be something has changed, but I don’t think so.

There is a way around that issue: stop the script from storing its properties and top-level variable values. That means doing something like changing its privileges, code-signing it, or even using a top-level ASObjC variable. Of course that assumes the script doesn't otherwise rely on property persistence.

My primary interest in using AS is in conjunction with a Filemaker app, where Filemaker creates and stores the AS within a calculated FM script (which is then hidden from the user, and passes the ‘do shell script’ upon command).
In addition, I pass both the data and the key as variables (from FM fields), rather than keeping them in a static AS..

Is that any better, or just as vulnerable?


tx

I am thinking of a way to save passwords securely on an AS, but haven’t worked on that yet!

Store it in a keychain?

--
Shane Stanley <sstanley@...>
<www.macosxautomation.com/applescript/apps/>, <latenightsw.com>

On 31 Dec 2017, at 2:21 pm, David Wegener laptop <davew@...> wrote:

My primary interest in using AS is in conjunction with a Filemaker app, where Filemaker creates and stores the AS within a calculated FM script (which is then hidden from the user, and passes the ‘do shell script’ upon command).
In addition, I pass both the data and the key as variables (from FM fields), rather than keeping them in a static AS..

Is that any better, or just as vulnerable?

It sounds like it removes the vulnerability of stored variable values.

--
Shane Stanley <sstanley@...>
<www.macosxautomation.com/applescript/apps/>, <latenightsw.com>