Faculty of Electrical Measurements and Sensor Technology Department of Electrical Engineering and Information Technology Prof

Faculty of Electrical Measurements and Sensor Technology
Department of Electrical Engineering and Information Technology
Prof. Dr. Olfa Kanoun
Research Project
Smart Lab based on IoT
MUHAMMAD RAMEEL QURESHI HASHMI
Chemnitz, 12th April 2017
Supervisor: Rim Barioul, Dhouha El-Houssaini & Sabrine Kheriji
Abstract
The IoT Lab smartphone application enables participants to join our community with the possibility to suggest, initiate and participate in research projects. It enables participants to accept privacy-friendly interactions with researchers, including crowdsensing on a voluntary basis and with a very strong personal data protection. This enables end-users to be at the core of the research cycle in order to better align the research with the real end-users needs and requirements. It is free, user-friendly and open to everybody 1. 
The project task is to provide a state of the art solution for the security and privacy of the android application which includes database security, network security and security at the application level and to create a user account and profile management system of this android application which allows users to register and login with a role-based authorization and authorization policy.

The report is structured in the following chapters; first an introduction to the tasks and provided data set are explained. The first chapter describes the state of the art implementation of privacy and security framework. In the second chapter illustrated in detail the step by step implementation of identity management scheme. Finally, a conclusion based on the results is given, along with further future work proposals which can be added to this project.

Contents
TOC o “1-3” h z u Introduction PAGEREF _Toc515480784 h 4Chapter 1 Security and privacy framework PAGEREF _Toc515480785 h 51.1.Database security PAGEREF _Toc515480786 h 51.2.Network Security PAGEREF _Toc515480787 h 12Chapter 2 Identity management scheme PAGEREF _Toc515480788 h 162.1.Analysis PAGEREF _Toc515480789 h 162.2.Application Architecture PAGEREF _Toc515480790 h 16Conclusion PAGEREF _Toc515480791 h 34Annex PAGEREF _Toc515480792 h 35Bibliography PAGEREF _Toc515480793 h 37
IntroductionThe main goal of this project is to develop an android application for the users to register and login to the smart lab IoT mobile application with the state of the art security and privacy framework. The system will consist of many elements.

Android client application
Administration panel
Database for the users
Main server
The user will first register on the mobile application by providing name and email then an email containing a verification link is sent to the registered users email once the user click on the verification link the data of the users will be available to the admin and the admin then sends the automatic generated password to the user on the registered email the user will then use this password for the login on smart lab IoT application and after then user will be able to change the password and the new password will also replace the old one in database which is stored on a server.
Security and privacy framework
Security is one the most important and challenging task for any organization in order to protect data and to ensure its users privacy. A lot of sensitive data is stored on databases which includes user’s passwords email and other sensitive personal information.

So, this section illustrates the modelling of security and privacy framework of every possible important area including database security and network security which will address all threats and their methods of prevention which ultimately helps to protect the data of researchers and testbed owners in case of unwanted hack attempts.

Database securityDatabase can be defined as the collection of data in the form of tables and queries stored on a hard drive or server on a remote location.

Database security is one of the most important section that has to be handle with care as it is the backbone of every application because it contains lot of sensitive and confidential data of users and it needs to be protected to avoid hacking attacks.

There are numerous techniques to threat database and breach user’s privacy. To provide methods to secure database it is beneficial to describe the kind of attacks on databases.

The most popular threats are:
SQL Injections
SQL injection is one of the top of the list hazard in many recent years. SQLi allow injection of unauthorized commands within the application level which allow hacker to bypass any form of authorization and authentication mechanism and get access to database which can be further manipulate, delete or stole user’s records. It can be done only where user needs to enter values like username and password.

For example, in the table 1 below user has to enter username and password assigned to them.
Username iamuser
Password userpass
Table SEQ Table * ARABIC 1 user’s valid credentials
The resulting sql query for the above process is:
SELECT * FROM users WHERE username =”iamuser” AND password =”userpass”
Instead of entering actual username and password a hacker can enter following data as shown in table 2.

Username ” or “”=”
Password ” or “”=”
Table SEQ Table * ARABIC 2 sql malicious statement
The resulting query at the server side will look like:
SELECT * FROM users WHERE username =”” or “”=”” AND password =”” or “”=”
The above sql statement is valid as OR “”=”” is always true this statement will lead to return all the rows present in the table name as “users” in database.
There are also others malicious sql commands which allows attackers to access data without any hurdle.

Prevention techniques to avoid sql injections are describe below:
Prepared Statements:
Prepared statement is use to make code efficient and fast a developer does not need to write same statement multiple times the single statement can be use multiple times in the code with same or different parameters; prepared statements typically use with database management systems(DBMS) in writing of sql statements. They also follow object-oriented paradigms.

There are two types of prepared statements supported by Php:
Prepared Statement in PDO (Php Data Objects):
PDO define as Php data objects is a relational database driver use to connect with MySQL databases. It greatly helps to avoid sql injections by creating objects of sql queries and use them at the back of client end so that if any hacker wants to insert malicious query from client side it will not allow hacker to hijack database.

PDO in Php can be explain from the given example below:
First create constants for database connections.

private $host = ‘localhost’;
private $user = ‘root’;
private $db = ‘iotlab’;
private $pass = ‘ ‘;
private $conn;
Now create PDO object to connect with MySQL database.

$this -> conn = new PDO(“mysql:host=”.$this -> host.”;dbname=”.$this -> db, $this -> user, $this -> pass);
After making connection with database now make prepare statement let’s say for inserting data into database.

$query = $this -;conn -;prepare(‘INSERT INTO androidusers SET name =:name, email =:email, status =:status, code=:code’);
Executing the query to insert data containing of name, email, status and code into the table namely androidusers with parsing parameters.

$query-;execute(array(‘name’ =; $name, ‘:email’ =; $email, ‘status’=;$status, ‘code’=;$code));
Prepared Statement in Mysqli:
Mysqli is another type of database driver which is also used to connect with MySQL databases, it is introduced in Php version 5.0 and compatible with version above 5.0.

It works same as Php data objects with just a difference of syntax and also helps to eliminate the risk ok of sql injection.

The following example clearly describe the mysqli as prepared statement.

Create constants for database connection.

$host = ‘localhost’;
$user = ‘root’;
$db = ‘iotlab’;
$pass = ‘ ‘;
Create connection with database.

$conn = new mysqli($host, $user, $pass, $db);
Now prepare statement and bind parameters.

$query = $conn-;prepare(“INSERT INTO androidusers (name, email, status, code) VALUES (?, ?, ?, ?)”);
$query-;bind_param(“ssii”, $name, $email, $status, $code);
In the above statement “ssii” means that name and email are string data types while data type of code and status is integer.

Finally set parameters and then execute statement.

$name = “xyz”;$email = “[email protected]”;
$status = “1”;
$code=”6565726572″;$query-;execute();
By notifying MySQL database the type of data we can clearly get rid of the risk of sql injection.

There is no major distance between PDO and mysqli both support prepared statements and offer object-oriented the only difference is that PDO can also be supported by 12 other relational database drivers so the developer don’t have to change code while mysqli supports only MySQL database but both are great preventing tool against sql injections.

Encrypt sensitive data:
Do not save data in plain text always encrypt all sensitive data including passwords using hash algorithms there are multiple hash algorithms depends on a level of protection available most popular are SHA, BCRYPT and MD5.

These hashing algorithms can be implemented with various other techniques namely salting which encrypt data more secure.

Immediately remove unnecessary data also old admin accounts which are not in use.
Test sql injections:
Before installing application on live server test all available sql injections methods in order to ensure and test all the security parameters which have been taken in order to avoid attacks.

Brute force attacks
A brute force is a hit and trial method to obtain user passwords saved on database. It is done by using an automated software which generate large number of consecutive guesses to the value of required data.

It is mainly use to crack user passwords which are already encrypted and stored.

Another example of brute force attack is dictionary attack in which all the combinations of words available in dictionary is used to crack the passwords. This attack is very time consuming as it is fully dependent on the machine computing power, length and complexity of the password and the number of combinations tried.

Below are the prevention techniques from brute force attacks:
Force user should create strong password which contains number and letters and should be more than 12 characters long enough because it will take years of years for the hackers to crack.

This can be done by using validation method by the developer at the backend.

Enable two factor authentications because hacker can’t gain access to your mobile.

Limiting the number of login attempts for example user only allowed to enter wrong password three times if more than three times the user enter invalid password the account should be locked by the admin and users are advised to contact admin. A small amount of delay can also be implemented between every unsuccessful login this will completely avoid the brute force attack.

In case if there is a lot of breaches reported from the single ip, the ip should be blocked in order to secure database.

CAPTCHA is a well-known method to avoid these kinds of attacks.

Privilege Access Control
It is found that most of the breaches are done by the internal or former employee according to the survey about 80% of attacks are executed by the internal or external employees2 for example HR manager has only access to change their employee designation or any other data related to human resource department but the HR manager is also trying to change organizations employee salary which is the privilege of finance department so in order to avoid this kind of threat granting of privileges should be strictly limiting to the role based only.

The excessive amount of granting privileges to the employees will leading into a big threat to database. So, in smart lab IoT project researchers and testbed owners both will have a limited privilege because of a highly sensitive data in order to reduce the risk of data theft and misuse.

Audit Trail
Audit trail is the method of keeping records of all sql transactions in a log as part of security measures 3.

Make audit of all sensitive data and check who did what from where and when each and every step should be under the strict observation. Develop a mechanism which is responsible to detect or track any kind of suspicious threat to the databases and generate real time alerts to the administrators.

Network based auditing mechanism is more efficient as it does not impact on the performance of database and helps to keep the record of every data. Audit trail mechanisms should aware the authentication of end user.

Network SecurityNetwork security generally define as to protect data during their transmission, Network administrator have to implement policies and procedures in order to avoid the unauthorized access, data modification, or denial of network resources, after security of database network security is also one of the most important part of our smart lab IoT project as transmission of data is relatively high between researchers, testbed owners and other different users for privacy and data protection. Android devices are easily to attack as compare to pc because there are lot of unauthorized and malicious application available on the play store and user don’t know the authenticity before they download and run.

Main objectives of network security are based on term Triple A-AAA.

Authentication
Make sure that the entity’s identity is believe to be the one who uses the credentials in the form of passwords, biometrically or digital signs as a digital proof.

Authorization
Make sure that (by means of some determining function) the entity is allowed to use certain services (access/modify data etc.)
Accountability
Usage tracking of services (network and application resources) over time or volume for billing and management purposes (usage statistics, forecasts and service resource planning)
Threats to the network security can be generalized into the following categories:
Passive Attacks:
In this type of attack hacker waits to capture the sensitive information by using sniffer tools once they capture the sensitive or authentication information they can use these information for further type attacks without getting into knowledge of user. Passive attacks are hard or nearly impossible to detect but can easily preventable.

Passive attacks further divided into two categories.

Release of message contents
In this method the goal of the intruder is to read the contents of message transmitting from sender to receiver this message can contain sensitive information.

This type of message attack cannot be detected because the transmission of message between the sender and receiver are in normal fashion and they can never know that the third party read their messages so rather than working hard for detection pattern it is better to prevent this type of attack by using encryption techniques.

Traffic analysis
In this method the scenario of attack is same as the above threat the intruder just capture the traffic pattern of message between sender and receiver. The network traffic is then recorded which is supposed to measure the parameters set to the network related to performance or security and then these parameters can be used to threat the network.

Active Attacks:
In active attacks hacker does not wait for any information to be capture after specific time rather they actively try to breaks or bypass authentication system these attacks can be done on run time by using any kind of viruses, stealing log information, injecting malicious code or trojan horses.

Active attacks one of the most dangerous attacks as this leads to the complete data lost and modification of sensitive data. They typically performed in “men in the middle” scenarios. Active attacks are easy to detect but it takes a lot of hard work to prevent these kinds of attacks.

Active attacks can be further subdivided into four categories.

DOS ; DDOS-DOS known as denial of service and DDOS distributed denial of service is biggest of all threat in network security and it is really hard to get rid of them easily.

The difference between DOS and DDOS is that in dos only one computer and one internet connection is needed to flood on server or targeted resource while in DDOS multiple computer and multiple internet connection is used.

Denial of service attack define as the intruder makes unavailable of resources to its intended users. It is very simple attack can be done by multiple malware tools easily available just flooded the machine or recourses with unnecessary fake request that the system can handle of for example if the server can handle 10 requests per second the intruder will send 40 requests per second which is against the capacity of system in results the host system will turn down to its legitimate users because of this mass fake requests.

Modification of content-In his type of attack the intruder capture the message transmitted from sender to receiver and then modify the message and again sends back to the receiver so the receiver will not receive the actual message sent by the sender rather than the modified message by third party.

Replay-In replay scenario the intruder captures the message in between transmission for example sender sends password to the receiver the intruder captures the password message and then can use on the next day pretended to be the receiver from the last day this perfectly describes the replay scenario.

Masquersde-It happens when intruder change his identity and pretend to be the sender the receiver can never detect the change of identity and will communicate with third party instead of sender.

Eavesdropping
In wireless network eavesdropping is another big security threat to the network in eavesdropping the hacker tries to steal the small packets containing information during the Https transmission and modify the data in order to affect the network. Eavesdropping is one of the most easily hit attack as due to the lack of the encryption services, there are multiple tools available over the internet by which anyone can attack on the network.

Eavesdropping can also be use in wired networks e.g tapping of telephone calls this is mostly done by the national security agencies.

Phishing attack
Phishing attack is now the most popular threat now days in this attack the intruder makes the clone of website or application. The hacker then sends an email to the user containing link to click when the user clicks the link they will be auto directed to the clone of that website/application and the hacker force user to enter credentials which contain user password and email once user enter their credentials the hacker than recorded that data and will the use them on the real site against them.
IP address spoof attack
In this attack the hacker changes or modifies the headers of the packets sanded by the sender so its look like the packets are originating from the trusted network but the receiver will not be aware of changing of ip address this attack is use to bypass the firewall.

Identity management schemeThis section describes the complete concept and lifecycle of creation of user account and profile management system with administration panel using different technologies and methods.

AnalysisThis section includes the UML structured and behavioral diagrams.

Application ArchitectureThis project is based on client to server communication as the user data is stored in a database which is further stored on a dynamic server, the android application is installed on a client side which is use to connect with server using a Php webservices for this type of project the frontend is developed using android XML and the backend is developed using android java, Php and MySQL, for the administration panel HTML and CSS used for the frontend and for the backend Php is used. The Php mailer library is used to send emails to the users.

the used structure for application development is describe in the figure below.

Figure SEQ Figure * ARABIC 1 Used structure for application development
Description and procedure of the technologies used in this project are given below:
Front End
The frontend is developed in android studio using the XML, the android application consists of three activities one is for user registration, second one is for user login and the third one is for user profile where the user change password and logout from the application.

The data is retrieve from the server in the form of JSON which is then parse through the retrofit and then shown on these fields and sends data to server to authenticate user credientials4.

Login
The login page consists of two edit text fields one is for email and the other one is for entering password, one clickable button is used for login.

A clickable text is also written under the button in case if user ants to register.

Figure SEQ Figure * ARABIC 2 Login page
Registration
The registration page is consisting of two edit fields one is for user’s name and the other is for email, the email is then use as an identity for login.

A clickable button for registration when the user presses the button an email with verification link is send to the users registered email.

A clickable text is also written under the button it is use in case if user is already registered and wants to login.

Figure SEQ Figure * ARABIC 3 Registration page
Profile
After successful registration user can now sign in to the application where they will meet the profile page which includes a logout button and a button to change the password. When click to the logout button the user will be redirected to the login page while after clicking on change password button the user will be directed to the change password dialog box.

Figure SEQ Figure * ARABIC 4 User profile and change password dialog box

MySQL Database
MySQL abbreviated as My server query language is an open source relational database management system (RDBMS). MySQL database is very fast, scalable and easy to use it works in client/server scenario it is implemented on server using PHP scripts. In this project MySQL is most suitable database instead of SQLite which comes up built in in android devices but the disadvantage of SQLite is that it is offline database and can only be implemented on client side it is also called local and serverless database on the other side MySQL is an online database as the user’s data is store on server and can be fetch from the server on client request.

In this project a database namely iotlab is created to store user’s important credentials which is then use for signup and login purposes and for the administrator to keep eye on the user’s.

Figure 1 shows the database with its tables.

Figure SEQ Figure * ARABIC 5 iotlab database
The database iotlab contain three tables which are describe below with their purposes:
ANDROIDUSERS
This is the very first step for the application when the user through android application wants to register the user’s data will be stored in this table, the structure of this table is:

Figure SEQ Figure * ARABIC 6 Structure of table androidusers
This table is created to store the data of the users who are signup through the android device with iotlab application this table contains five columns as shown in the figure 2.

The android application fields only include name and email while the code is automated generated through Php script and will store in database against the user name and email this code is further use to verify the user email after getting the verification email on registered email account, the status column is use to check whether user verified his or her email if email account is verified the status will change to 1 and if not the status will remain 0. The date column is created to just keep in record the time and date when the user registered credentials there is a default function in MySQL for time and date which is CURRENT_TIMESTAMP as also shown in figure 2.

After registering the users, the data will be stored in the table describe in below figure.

Figure SEQ Figure * ARABIC 7 Sample data in table androidusers
Figure 3 clearly shows that user with name rameel and email [email protected] is just signup in the android application on 19-04-2018 at 20:47:12 the status for this user is high (1) which means that rameel verified his email account using the verification link.

ACTIVATED
This table is use for the administrator to help him know that the email containing password is sent to this user on the registered email address, the structure of this table is shown in the figure below.

Figure SEQ Figure * ARABIC 8 Structure of table activated
This table contains five columns as shown in figure 4. This table is also visible to admin on admin panel page so that they can aware that the automated generated password is sent to this person.
When the user verified email address with the verification link then the data of the user will be stored in this table and when admin sends automatic password to the user on registered email address the pass_sent field will set to YES as shown in the below figure.

Figure SEQ Figure * ARABIC 9 Data sample of table activated
Figure 5 describes that the user name rameel and with email address [email protected] receives automatic generated password and now the user is authentic and now the part of smart lab IoT android application.

USERS
This is the last but most important table of the datable as it contains all the relevant information of all users who are registered with this application first let see the structure of this table by viewing the figure below and then discuss further about the importance of this table.

Figure SEQ Figure * ARABIC 10 Structure of table users
This table contain 7 columns as shown in figure 6, these columns is described below with more description.

SNO
Sno is the short form of serial number used a primary key it is auto increment as the new data arrives.

UNIQUE_ID
A random unique id is generated with every new user to identify each user with this id and to differentiate users with same name.

NAME
Name of the user who wants to access the application.

EMAIL
Email of the user who wants to access the application
USER_PASSWORD
Password of the user is stored in hash form for the security purposes as already discussed in database security part.

SALT
Salt is a string attached to the password. which makes it harder for anyone who breached security and gain access to stored password, which in return makes it next to impossible to use rainbow dictionaries to unlock what the real password is.

CREATED_AT
Time and date to keep the record of every user’s registration.

When the admin sends password to the registered user that password will also store in encrypted form into this table including other user credentials. This table is the last step of user registration and it keeps all the record of registered users, this table is further use for login change of password also as the password is fetched from this table. The sample entered data for this table is shown in the figure below.

Figure SEQ Figure * ARABIC 11 Sample data table users
The relationship between all tables is describe using a database diagram in figure 8 below.

Figure SEQ Figure * ARABIC 12 Database relational model
Administration Panel
The main responsibility of administration panel is to send automated generated password to the registered user after the user verified email address using automatic verification link.

The second part of the admin is to aware of all users registered and using application.

The password is automatically generated using Php function describe below.

$chars = “abcdefghij”;
$password = substr( str_shuffle( $chars ), 0, 8 );
The password is 8 characters long with small letters starting from a to j the characters can also be changed as per requirement including capital letters, numbers and special characters.

The administration panel is a web-based application which will host on a dynamic server is create in the combination of HTML use for page layout, CSS to add styles to the HTML layout and most importantly Php scripting language to perform backend operations.

Administration panel is look like in the figure below.

Figure SEQ Figure * ARABIC 13 Administration panel for sending automatic generated password
In fig8 it shows that the administration panel contains two things data of smart lab users and a random password generator application. Once a user verified his or her email address the data will be automatically sent to activated table in database which discussed earlier the activated is display for admin so that the random password can be send to the users as the password sends to user the sent field will be updated to yes as also shown in figure that the user with email [email protected] receiver password on email.

When the admin sends password to the user the page will look like in the figure below.

Figure SEQ Figure * ARABIC 14 Admin sending password to user
In figure8 it is shows that the admin sends password to the user through the random password generator application and the random password is ‘befcdhag’ and this password will be hashed using the hashing algorithm (discuss in password encryption) and then added to the database with other credentials.

The application avoids multiple sending of password shown in figure below.

Figure SEQ Figure * ARABIC 15 Admin panel password already send
In fig10 the admin already send password to this user so the message appears ‘password already sent to this [email protected]’ this restrict admin for sending multiple email with passwords to the user and also in case admin forgets that the password is already sent to this user.

Retrofit for Http request/response
Retrofit is a type-safe rest client library for android developed by square it uses OkHttp for Http request and response from server to client. It works both with JSON and XML and we don’t need to parse JSON responses as it is done by the library itself using a GSON converter which is used to convert to and from JSON.
Figure11 describe complete overall structure of http request to server and response from the server to the client where retrofit library is used for android application.

Figure SEQ Figure * ARABIC 16-Http request and response client to webserver
The main responsibility of retrofit library is to call http request and response from local client to the remote server to fetch data from the server before retrofit the traditional method was android Async tasks which were used for this purpose but this is very time consuming needs to write lot of code and relatively very slow comparing with other rest client libraries.

Volley is another rest client library for android written by google which works same as retrofit the only difference between retrofit and volley is that volley requires a lot of code to write while retrofit is easy to implement, easy to use and does not require a lot of extra code to write and lastly retrofit is still more faster than volley, so in this project retrofit library is used which is more suitable to work on in this kind of project, the benchmark test between traditional old android Async task, volley and retrofit has been done and the results is shown in table 3 below.

One discussion Dashboard
(7 requests) 25 Discussions
Android Async task 941ms 4,539ms 13,957ms
Volley 560ms 2,202ms 4,275ms
Retrofit 312ms 889ms 1,059ms
Table SEQ Table * ARABIC 3 Retrofit performance analysis
Table3 clearly shows that in benchmark test retrofit is faster than among all other rest client libraries in all three tests.

Steps to integrate retrofit in smart lab IoT project are:
Allow internet permission in AndroidManifest.xml
<uses-permission android:name=”android.permission.INTERNET” />
Add dependencies in build.gradle file
compile ‘com.squareup.retrofit2:retrofit:2.0.0’compile ‘com.squareup.retrofit2:converter-gson:2.0.0’
Creating a model class
For fetching a response from server, we need to create a model class which automatically convert the JSON response using a GSON converter at the back.

The model class is created as user.java a sample code from the class is shown below.

public class user { private String name; private String email; public String getName() { return name; } public String getEmail() { return email; }}
Creating API interface class
Now the main step is to create api interface class to define different methods which is then used for network transactions. The interface int_req.java is created in the android studio project and the code is also shown below.

import retrofit2.Call;import retrofit2.http.Body;import retrofit2.http.POST;public interface int_req { @POST(“android/server/”)//Local server directry Call<resp_serv> process(@Body req_serv request);
The post method is used to send the data to the server.

Creating RestAdapter

Let’s take an example of login a java class user_login.java is created in project in which all functions related to login is performed the user data which includes email, name and password is already stored on database which is located on server.

First import the libraries of retrofit and gson converter.

import retrofit2.Call;import retrofit2.Callback;import retrofit2.Retrofit;import retrofit2.converter.gson.GsonConverterFactory;

Now create a retrofit adapter and set base url.

Retrofit retrofit = new Retrofit.Builder().baseUrl(consts.ROOT_URL).addConverterFactory(GsonConverterFactory.create()).build();
The ROOT_URL is the address path of the webserver it is also in the form of ip address where all the files and directories stored which is then call in the project further. It is written in consts.java class as describe below.

public static final String ROOT_URL = “http://10.53.10.193/”;

Creating an object of interface int_req.java.

int_req requestInterface = retrofit.create(int_req.class);
Now creating a call back object and writing a logic in override functions which are onResponse and onFailure.

Call;resp_serv; response = requestInterface.process(request);response.enqueue(new Callback;resp_serv;()
@Override
public void onResponse(Call;resp_serv; call, retrofit2.Response;resp_serv; response){ }@Overridepublic void onFailure(Call;resp_serv; call, Throwable t){ };
Now there is a call to a server by retrofit library if the server responds the onResponse method will invoked and perform action as written in the function and if the response from the webserver is failed then the onFailure method will be invoked and will perform its function as instructed.

Php Mailer Library
Php mailer is an open source Php library which is used in this project for sending emails to the registered users safely and easily by using the Php code from the web server. The old traditional method before Php mailer was the mail() function but now it is not flexible to use because mail() function is not object oriented and developer needs to write a lot of code with many headers which sometimes makes code look dirty while Php mailer is object oriented also it can print error messages, integrate with SMTP protocol and have authentication over SSL and TSL.
Php mailer is used to send emails which are divided into two types on the basis of functionality one is containing verification link and the other is send by the administrator on administration panel to send the automated generated password to the registered users.
Steps to use Php mailer in this project.

Download Php mailer library in .zip form.

Unzip the folder copy and paste it to the root folder of server which is htdocs.

Now add the library in the desired Php class.

require ‘PHPMailer/class.phpmailer.php’;
Create a Php mailer object.

$mail = new PHPMailer;
Now setting up the SMTP server here we are using yahoo server. Port no 587 is used which is for TLS in case for SSL the port umber is 465.

TLS- Transport layer security is a cryptographic protocol that provide authentication and data encryptions between the servers e.g client connection to webserver.

$mail-;isSMTP();
$mail-;Host = ‘smtp.mail.yahoo.com’;
$mail-;Port = 587;
$mail-;SMTPSecure = ‘tls’;
$mail-;SMTPAuth = true;
Providing sender username and password and also receiver email here the receiver email is denoted by the variable $email as this is the email address of the user who is registered on application the email is automatically send to them. Also, the subject and message body can be written by the developer using functions.

$mail-;Username = ‘[email protected]’;
$mail-;Password = ‘password’;
$mail-;From = “[email protected]”;
$mail-;FromName = “[email protected]”;
$mail-;AddAddress($email);
$mail-;Subject = ‘SMART LAB IoT USER LOGIN – PASSWORD’;
$mail-;msgHTML(‘<p>Dear ‘.$name.’,<br/><br/><br/> Your password is: ‘.$nonhashed.'</p>’);
After everything setting up now send the email using the send function if the mail is not sent and the error occurred the error can be display using the ErrorInfo function.

if (!$mail-;send()) {
$error = “Mailer Error: ” . $mail-;ErrorInfo;
echo ‘<p id=”para”>’.$error.'</p>’;
}
else {
echo ” Password has been sent to- “.$email.”<br>” ;
}
The above steps are the example of sending password to the users for sending the verification link the whole procedure is also same just change the body of the message in step 7 which is shown below.

$mail-;msgHTML(‘<p>Dear ‘.$name.’,<br/><br/><br/> Your verification link is:http://10.53.10.193/android/server/verify.php?name=’.$name.’&email=’.$email.’&code=’.$code.'</p>’);
Password encryption different methods and techniques
As discussed earlier in security and privacy chapter password encryption is the most important application in this project as the security and privacy of user data is on the top priority, for example if the hacker successfully able to stole the database then it is impossible for them to decrypt the password if the password is stored in the form of hashed string in the database.

There are multiple open source hash algorithms available on the market but the right algorithm with right parameters will be more secure.

The available hash algorithms are:
SHA family
Secure hash algorithm (SHA) family contains versions SHA-1, SHA-2 and SHA-3. SHA-1 and SHA-2 are till now obsolete as the successful attack has been done on SHA-1 in 20056 and in 2011on SHA-27 while SHA-3 is the latest one developed in 2015 and is more secure than other versions of SHA family.

The only disadvantage of SHA-3 is that it is a fast hash so the hacker will not need a lot of time to decrypt the password so they are bad for passwords.

SH-3 still not supported by most of the hardware and software because of the new.

MD5
MD5 s another hashing algorithm available in market it was first published in 1991, MD-5 is less secure than SHA and can be broken relatively easily thus it is no longer safe to use in secure systems. It is also one of the slowest hash functions and was broke in 20055.

Bcrypt

ConclusionAnnexPhp- Hypertext Preprocessor
HTML- Hypertext Markup Language
CSS- Cascaded Style Sheets
SQL- Server Query Language
REST-Representational State Transfer
SMTP-Simple Mail Transfer Protocol
SSL-Secure Sockets Layer
Software used:
Android studio- For application development with built-in emulator used.

Sublime Text- For Php scripting.

XAMPP 7.0- As Local host server to test application on live server.

Star UML- For creation of structural and behavioral diagrams.

Project file description:
Layout files:
activity_main.xml
changepassword.xml
login.xml
profile.xml
register.xml
Java files:
consts.java
int_req.java
req_serv.java
resp_serv.java
user.java
user_login.java
user_profile.java
user_register.java
user_login.java
Activity files:
MainActivity.java
Php files:
control.php
dboperation.php
index.php
verify.php
adminpanel.php
Style files:
style.css
Bibliography1 IoT Lab project: http://www.iotlab.eu/IOTLabProject/AimsAndObjectives Available
2 Mubina malik, Trisha patel, “Database Security-Attacks and Control Methods”, International journal of information science and techniques (IJIST) volume 6 no ½ , march 2016.

3 Odirichukwu J. C, Asagba P.O, “Security Concept in Web Database Development and Administration- A Review Perspective 2017”, IEEE 3rd International conference on electro technology for national development (NIGERCON).
4 Faisal Bin Al Abid, A. N. M. Rezaul Karim, “Cross-platform development for an online food delivery application”, IEEE, 01 December 2017.

5 Xiaoyun Wang, Hongbo Yu, “How to break MD5 and other Hash Functions”, IACR, Eurocrypt 2005, LNCS 3494, 2005.

6 Marc Stevens, “New collision attacks on SHA-1 based on optimal joint local-collision analysis Advances in Cryptology”, EUROCRYPT 2013, Lecture Notes in Computer Science Volume 7881, 2013, pp 245-261, 2013.

7 Mario Lambergerand Florian Mendel, “Higher-Order Differential Attack on Reduced SHA-256”, IACR Cryptology ePrint Archive. 2011/37,2011.