Security considerations have always been a priority when building a Custom App, but now we are in the 'cloud-age' it is even more critical to get it right from the outset and to periodically audit.
One recent example of this which filtered into the public consciousness because it was such a widespread issue was the Heartbleed bug in the widely used OpenSSL library, including the older FileMaker 12 & 13 platforms.
FileMaker 15 has further improved on an already strong set of security features in FileMaker 14 with a number of important of enhancements:
- SSL certificates are verified before any operations requiring secure data transfer. These include performing actions that open a file hosted on FileMaker Server, importing XML data via an HTTP request, or sending email via an SMTP server using an encrypted connection. This is significant because many FileMaker Custom Apps integrate with 3rd party APIs by inserting data from a https call.
- FileMaker Pro notifies you when a host’s SSL certificate cannot be verified. You can choose to connect anyway, add the host to your permitted hosts list, or cancel. With previous versions of the FileMaker platform it was too easy to miss this warning and so making the warning more explicit is a simple belt and braces measure.
- Other applications can be prevented from using AppleScript or ActiveX to perform FileMaker scripts. This is managed in the security settings under extended privileges for a privilege set for your Custom App. This is important as it prevents the possibility of other malware which might have compromised a user machine from further impacting your database.
- FileMaker Custom Apps can be configured to require users to use Touch ID on iOS. Entering robust, high complexity passwords is especially tedious on mobile devices and supporting Touch ID provides a great solution to this.
Even with the additional security enhancements of the FileMaker 15 platform, it can be an intimidating process to lock down your Custom App if you are new to the FileMaker platform so if you are not sure where to start you can always contact our consulting Team for a security audit.