Encrypting PDF files with PDFDocument is based in the use of the PDFPermissions class. You’ll need to create a new instance of the class passing along the “Owner” and “User” passwords. For example:

Var d As New PDFDocument
Var g As Graphics = d.Graphics

Var p As New PDFPermissions("OwnerPassword","UserPassword")

In addition, you can set other properties for the PDFPermissions instance; all of them are read/write and will be applied by the PDF viewer app for when the document is opened using the “user” password.

• AllowCopyingContents is set to False by default. When set to True it will allow copying contents from the PDF, as for example the selected text or image.
• AllowModifyingContents is set to False by default. When set to True it will all to modify the contents of the protected PDF document.
• AllowPrinting is se to False by default. When it is set to True it will be possible to print the PDF.

Once the PDFPermissions instance has been created and the desired properties had been set, all you need to do is to assign such instance to the Permissions property for the PDFDocument instance you want to encrypt:

d.Permissions = p

Then, when it’s saving the document to a file, PDFDocument will encrypt all the streams of data containing sensitive information, as it can be the text or Images rendered on every one of the PDF pages plus the metadata information itself. The used encryption algorithm is AES 128 bits.

That’s all! You can distinguish an encrypted PDF file from an unencrypted one because, usually, the first one will be displayed with the image of a Lock in the icon. When you open an encrypted PDF in the viewer app you’ll be asked to type a password. If you enter the passord set to the “Owner” user, you’ll be able to do all the kind of operations allowed by the viewer app, while if you enter the “User” password, then the kind of options available will be determined by those set using the PDFPermissions properties.

Javier Menendez is an engineer at Xojo and has been using Xojo since 1998. He lives in Castellón, Spain and hosts regular Xojo hangouts en español. Ask Javier questions on Twitter at @XojoES or on the Xojo Forum.

• Facebook
• X
• LinkedIn
• GitHub
• YouTube

Is it the most secure or robust encryption algorithm around? Not really. But it provides a good amount of performance and you can take further steps in order to correct some of its flaws. So, continue reading if you are interested in having this one in your developer toolset implemented as a Class with separate methods to encrypt and decrypt a block of information (even if it uses the same function in both cases).

Add a new Class to your project and name it ARC4. Next, add the three properties needed to implement it:

• Name: mBox
• Type: MemoryBlock
• Scope: Private

• Name: mKeyBlock
• Type: MemoryBlock
• Scope: Private

• Name: mKeyLength
• Type: Integer
• Scope: Private

ARC4 uses a main state box with a length of 256 bytes and the first one will be the one pointed by the mBox property. The second one, mKeyBlock, is declared as a MemoryBlock just to be more efficient in accessing the individual bytes of the provided Key. Lastly, the mKeyLength property is just a convenience property so we can access the original Key length from our Methods.

Now, let’s add the required Class methods, starting with the Constructor. This one will let the user provide the Key string as part of the instance initialization; so we don’t need to provide it again every time we want to encrypt or decrypt a new block of data.

With our ARC4 class selected in the Navigator, add a new method and type the following values in the Inspector Panel:

• Name: Constructor
• Parameters: Key As String
• Scope: Public

Next, type the following snippet of code in the associated Code Editor for the method:

// If Key is not an empty String
// We call the Key method in order
// to initialize the State box

If Not (key.IsEmpty) Then
  Me.Key = key
Else
  // Empty String, so we raise an exception
  Raise New RuntimeException(kkeynotinitialized,Integer(ARCError.KeyNotInitialized))
End If

As you can see, the main thing that the Constructor does is call the Key Method; it’s in charge of initializing the required state box with the provided key. If the key is an empty String, it will raise a Runtime Exception giving a descriptive error message an error number.

Now, let’s add the Key method to our RC4 class:

• Name: Key
• Parameters: Assigns Value As String
• Scope: Public

Being a Public method means that you can change the Key String without needing to create a new instance, if that is what you want to do. For example, you may want to initialize the Class instance using a key, encrypt some blocks of data using that one and then change to a different key in order to encrypt other blocks of data. Just remember that you’ll need to use the same keys in order to reverse to plain data those blocks encrypted with a given key.

In addition, the use of the Assigns keyword is simply syntactic sugar to make it possible to call the method using the equal operator to pass along the required parameter instead of using the regular syntax when calling a method in Xojo code. So, for example, you can use call it using:

MyRC4Instance.Key = "MySecretKey"

Instead of:

MyRC4Instance.Key("MySecretKey")

This is the code snippet that’s going to execute this method:

// Disabling some features for better speed
#Pragma DisableBackgroundTasks
#Pragma DisableBoundsChecking
#Pragma NilObjectChecking False
#Pragma StackOverflowChecking False

// Initialize the index values
Var mFirstIndex As UInt8
Var mSecondIndex As UInt8

// Let's check that this is not an Empty Key String
If Not (value.IsEmpty) Then

  // Trim key length if greater than 256 = max 2048 bits supported by ARC4
  If value.Length > 256 Then value = value.Left(256)

  // Pad the key if it is less than the required min 40 bits (5 bytes)
  // We are going to pad the key repeating the remaining 'n' characters
  // from the begining of the key.
  If value.Length < 5 Then

    Var pad As Integer = 5-value.Length

    value = value + value.Left(pad)

  End If

  // Initialize the State Box if this is the first call to the method.
  // The State box has a maximum of 256 bytes.
  If mBox = Nil Then mBox = New MemoryBlock(256)

  // Just in case there is an older Key in use
  // Let's get rid of the old MemoryBlock storing it
  // And create a new one with the Key lenght (in bytes)
  mKeyBlock = Nil
  mkeyBlock = value
  mKeyLength = value.Length

  // Required initialization of the State Box
  For n As Integer = mFirstIndex To 255
    mBox.UInt8Value(n) = n
  Next

  mFirstIndex = 0

  // Last step on State Box initialization
  // Permutation of values in the State Box
  // using for that the provided Key.

  For n As Integer = mFirstIndex To 255

    mSecondIndex = (mSecondIndex + mBox.UInt8Value(n) + mkeyblock.UInt8Value(n Mod mKeyLength)) Mod 256

    SwapValues(n,mSecondIndex)

  Next

Else

  // If the provided key is an empty String, we raise a new Runtime Exception
  // with a descriptive error message and error number.
  Raise New RuntimeException(kKeyNotInitialized, Integer(ARCError.KeyNotInitialized))
End If

As you can see, both the Constructor and the Key methods raise a Runtime Exception if the provided Key is an empty string. Both the message and error number are defined as a Constant (the message error) and an Enumerator (Error value) as part of the class itself. So go ahead and add a Constant to the ARC4 class using these values:

• Constant Name: kKeyNotInitialized
• Default Value: Key Not Initialized
• Type: String
• Scope: Protected

And for the Enumerator:

• Name: ARCError
• Type: Integer
• Scope: Public
• Value: KeyNotInitialized = -1

In addition, the Key method calls the SwapValues method in order to make the values permutation in the State Box. So add a new method using these values in the Inspector Panel:

• Method Name: SwapValues
• Parameters: FirstValue As UInt8, SecondValue As UInt8
• Scope: Private

While the code to type in the associated Code Editor will be:

Var tmp As UInt8

tmp = mBox.UInt8Value(SecondValue)
mBox.UInt8Value(SecondValue) = mBox.UInt8Value(FirstValue)
mBox.UInt8Value(FirstValue) = tmp

Now just two additional methods left to be added to the class- the ones in charge of encrypting and decrypting a given block of data.

In order to encrypt the data, add a new Method with the following values in the Inspector Panel:

• Method Name: Encrypt
• Parameters: Value As String
• Return Type: MemoryBlock
• Scope: Public

And with the following block of code in the associated Code Editor:

// Disabling some features for better speed
#Pragma DisableBackgroundTasks
#Pragma DisableBoundsChecking
#Pragma NilObjectChecking False
#Pragma StackOverflowChecking False

// Index initialization
Var mFirstIndex As Integer
Var mSecondIndex As Integer

Var k As UInt8

// If we have a non initialized mKeyBlock
// that means that the key has not being initialized
// so we raise an exception
If mKeyBlock <> Nil Then

  // Initialize Key again

  me.Key = mKeyBlock.StringValue(0,mKeyBlock.Size)

  // Let's put the text to encrypt into a memoryblock
  // so it is faster to iterate through their bytes
  Var target As MemoryBlock = value
  Var temp As UInt8
  Var maxSize As Integer = target.Size-1

  // And we calculate the new bytes values (encrypted values)
  // using the ARC4 algorithm
  // Basically, every byte in the source block will be XORed
  // with the calculated byte from the State box.
  For n As Integer = 0 To maxSize

    mFirstIndex = (mFirstIndex + 1) Mod 256
    mSecondIndex = (mSecondIndex + mBox.UInt8Value(mFirstIndex)) Mod 256

    SwapValues(mFirstIndex,mSecondIndex)

    k = mBox.UInt8Value((mBox.UInt8Value(mFirstIndex) + mBox.UInt8Value(mSecondIndex)) Mod 256)

    target.UInt8Value(n) = target.UInt8Value(n) Xor k
  Next

  //…and return the block of data already encrypted
  Return target

Else
  Raise New RuntimeException(kKeyNotInitialized, Integer(ARCError.KeyNotInitialized))
End If

And the last Method, the one in charge of decrypting a block of ARC4 encrypted data:

• Method Name: Decrypt
• Parameters: Source As MemoryBlock
• Return Type: MemoryBlock
• Scope: Public

Typing the following code fragment in the associated Code Editor:

If Not (Source Is Nil) Then

  // Simply call the same method we use to
  // encrypt data, avoiding code duplication
  // and returning the now deciphered data to the caller
  Return Me.Encrypt(Source)

End If

And, that’s all! If you are interested in more information about the ARC4 algorithm you can read this article on the Wikipedia. Or better yet, read the excellent books “Applied Cryptography” and “Cryptography Engineering” to dig in even more on this and other cyphering algorithms. Of course, remember that the Crypto module included in the Xojo framework has a good bunch of these ready to use!

Of course, you also can download the Xojo example project that includes this Class ready to use from this link.

From Apple’s docs:

Starting in iOS 9.0 and OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications.

I first talked about App Transport Security when it started affecting iOS. Starting with Xojo 2018 Release 4, this change matters to your Mac apps because Xojo is now using the updated Mac libraries that have this requirement. Simply stated, it means that if your Mac apps use URLConnection, Xojo.Net.HTTPSocket, HTTPSocket (now deprecated), HTTPSecureSocket or HTMLViewer, then your URLs have to be secure and use https. If they are not secure, you will either get an error returned or no page displayed.

If you are relying on other services or URLs that do not yet support https, then what do you do? Apple has provided a workaround: you have to specify an exemption in your plist file. In the plist you identify specific URLs for which you want to allow unsecured connections. To do this, create a text file called Info.plist, add this content to it and drag the file to the Navigator to add it to your project:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>NSAppTransportSecurity</key>
  <dict>
    <key>NSExceptionDomains</key>
    <dict>
      <key>firstsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
      <key>secondsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
    </dict>
  </dict>
</dict>
</plist>

Replace the domain names (or add more) based on your needs. You can also allow all unsecured connections, but Apple may reject App Store submissions that use this without valid reasons:

<key>NSAppTransportSecurity</key>
<dict>
  <!-- Include to allow all connections; avoid if possible -->
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Keep in mind that Apple may reject your App Store submission if you allow arbitrary URLs without a good reason.

For additional information, refer to the Using a plist, URLConnection, Xojo.Net.HTTPSocket and HTMLViewer pages in the Docs.

Need easy server hosting with 1-click SSL support so you can avoid App Transport Security? Be sure to check out Xojo Cloud!

Here is the Window layout in the Xojo IDE:

I’m using a read-only TextField to display the generated password. There are a couple PushButtons for copying the password text to the clipboard and for generating a new password. I use Slider controls to set the length of the password and the number of digits and symbols to include, along with corresponding labels.

When the window opens, it populates some arrays with the acceptable characters that can be used for letters, digits and symbols. In particular, some characters are excluded such as “O”, “o”, “0” and quotes because those are difficult to distinguish. The code to do this is in the Open event:

The last line calls the GeneratePassword method which uses the settings from the user interface to generate a password. This way you’ll have a password displayed immediately when the window appears.

The GeneratePassword method first determines how many digits are needed, making sure it does not exceed the requested password length. Then it adds any symbols, also ensuring it does not exceed the set length. Lastly, if more characters are needed it adds letters to reach the desired length.

The characters are added to a String array that is then shuffled to mix all the parts together. Try commenting the Shuffle line out and when you run the project you’ll see that numbers always appear first, followed by symbols and then the letters. Here is the GeneratePassword code:

A similar technique is used by the RandomDigit, RandomLetter and RandomSymbol. It uses the Shuffle method to randomize the appropriate array and then returns the first item.

Download the Password Generator project file.

Download and check out earlier projects:

Week 1: Color Picker Desktop App

Discuss your Week 2 project in the Xojo forum:

Just Code Challenge Week 2 Projects

With the move to LLVM as the backend of our compiler, the format of our Windows executables changed somewhat. LLVM puts the executable code in a different location that doesn’t set off those same flags for anti-virus software. If you’re having problems with such false positives, recompiling your apps for 64-bit may solve the problem. Doing this is not a 100% guarantee but it can reduce the chances of a false-positive occurring.

This is even more true if you are using console-based helper apps especially if you’re launching multiple instances of them. Despite this being a known and often-used technique for taking advantage of multiple cores (and one we wrote about recently), it can make anti-virus software more suspicious. If your helper app has code that the anti-virus software thinks is in the wrong place, recompiling it for 64-bit may help.

Having said all of this, false is still false. If your apps (compiled for 32-bit or 64-bit) are falsely identified as having a virus, contact the anti-virus software company so they can update their software. Many have established protocols for reporting false positives.

Without Xojo Cloud, you have to manage a Linux server to host your Xojo web apps. Have you ever managed a Linux server? If not, perhaps you have no idea how difficult it can be.

Here are just some of the things you’ll have to worry about when you have to manage a Linux server with other hosting services.

Keeping your chosen version of Linux up-to-date

This is a lot harder than it sounds. Linux distributions are updated often to fix bugs and security holes.

I’ve had a Linux virtual private server (VPS) for several years that I have used to run a few web sites and the occassional Xojo web app. It turns out that my version of Debian Linux is getting a bit old and I need to upgrade it. But my hosting company does not make this easy. The control panel I am using no longer supports Debian and my hosting company only offers it with Ubuntu. There is no way for me to fix this myself as I cannot just create a new VPS container using Ubuntu while retaining my existing files. Instead I have to back up everything, get a new VPS created with Ubuntu and then manually set everything back up. This is going to take a tremendous amount of time, so I’m actually working on moving my stuff away from the VPS. I no longer want to spend my valuable time managing my own Linux server. I’m a programmer, not a Linux system administrator.

With Xojo Cloud, we keep Linux updated for you.

32-bit Libraries

To run Xojo apps on your server, you’ll need either a 32-bit version of Linux or you’ll have to install the 32-bit compatibility libraries needed by Xojo apps. Few hosting companies offer 32-bit Linux distributions. For 64-bit distributions, finding and installing these libraries can be easy with some distributions and rather difficult with others. Regardless, you better be comfortable with the Terminal, SSH, apt-get, yum and other Linux tools and commands.

With Xojo Cloud, we ensure the proper libraries are installed so your Xojo apps runs smoothly.

Firewall Management

Are you familiar with iptables? You’ll need to learn how to use it to manage your firewall so that your server is not open to attacks if you leave the wrong port open.

Xojo Cloud has an smart, adaptive firewall that watches the traffic coming in to your Xojo Cloud server and looks for the patterns that indicate a hacker. It can then lock the hacker out before they get in.

Secure Uploads

How are you going to get files to your web server? FTP is the most common answer, but it’s not secure. You’ll want to ensure you configure SFTP so that you can securely transfer files. Uploading is also an extra step when building and deploying your Xojo apps. You’ll have to do a the build and then use your FTP client to transfer the build over to the server. Although before you do that, make sure to head over to the server to stop (or quit) your web app if it is already running.

With Xojo Cloud, you can securely upload your web apps right from Xojo itself with one click. Or you can use the built-in SFTP server to upload files yourself.

Permissions

Once you have your web app (and any related files) uploaded, you’ll need to make sure that the permissions are set correctly. Often, the permissions set by an SFTP upload do not match the permissions needed by Apache to access and execute files. You’ll need to become quite intimate with the Terminal and the chown and chmod commands.

Your app permissions are set for you automatically when you upload directly from Xojo to Xojo Cloud.

Apache

Configuring the Apache web server can get pretty complex. There are lots of books written about it, but it might take some time to get through them all. Xojo web apps use CGI in conjunction with Perl to communicate with Apache, neither of which may be enabled by default.

With Xojo Cloud this is all automatically enabled and properly configured for you.

SSL Certificates

Does your host provide an easy way for you to add an SSL certificate to your web site? You absolutely need this is your web app has a login page, otherwise all data, including user IDs and passwords, are sent in plain text.

Xojo Cloud has a simple wizard to walk you through the processing of obtaining an SSL Certificate and installing it.

Database Support

Hosting services sometimes have MySQL available as an option. But few offer PostgreSQL, a more powerful open-source database. And most hosting companies do not provide a way for you to access the DB from outside a web app running on the server.

With Xojo Cloud you can easily enable MySQL or PostgreSQL. Plus you can also turn on an SSH tunnel so you can connect to the DB from outside the server to use your favorite admin tools or even connect from a desktop app. You can even easily create a Xojo Cloud web app that acts as a web service to a DB so that you can easily connect from any type of app, even iOS.

TL;DR: Why Xojo Cloud?

We don’t want you to have to worry about any of the above, which is why we created Xojo Cloud: security and convenience. It goes without saying that you’ve heard a story of some major company or web service having its data compromised. We take security seriously and want you to as well. Security is complex, but Xojo Cloud makes it easy for you to have a secure server with very little effort on your part.

We use a Xojo-optimized version of Security Enhanced Linux (SELinux), which is based on CentOS. You don’t have to worry about keeping it up-to-date and you don’t have to worry about installing libraries needed by Xojo.

The Xojo Cloud firewall is an impressive piece of engineering. The firewall watches the traffic and uses heuristics to try to determine potential denial-of-service and other hacking attempts. Not to mention the additional layers of intrusion detection and file change detection.

Since Xojo Cloud is integrated with Xojo itself, you get fast, easy and secure uploads of your web applications and associated files. The permissions are set for you automatically. This is all done by simply clicking the “Deploy” button on the main toolbar.

You don’t even every have to worry about Apache. You just upload your web app, it goes into its own folder and then you can make it available for the world to use. How much easier could it be? We even have a wizard to walk you through getting and installing an SSL certificate, something that can be challenging with some VPS hosts.

Lastly, the Xojo Cloud database support gives you fast and easy access to MySQL and PostgreSQL for use in your own web, desktop and iOS apps.

Security & Convenience

So why does Xojo Cloud start at $49 per month when you can get hosting from <insert other hosting provider> for $25 per month? The reason is because security and convenience are not free. Most VPS hosting is not as fully managed as you might think. You are given access to a control panel but generally have to manage most things yourself. There is typically a list of specific tasks that the hosting company will also do for you if you file a support ticket. Of course, if you are comfortable doing this and have the free time, a VPS might be a reasonable option. Certainly, it was the best option available before Xojo Cloud. But for most people that want to spend their time creating great software and not acting as a Linux administrator, Xojo Cloud is a bargain.

We think Xojo with Xojo Cloud is the most secure and and easiest way yet to create web applications. We hope you do as well. Now go forth and create web apps!

Update: Xojo Cloud Database Support is here, click below to read about it!