New Acra 0.85.0 brings the expanded functionality we’ve announced during the release of Acra 0.84.0.
We’ve added server-side encryption mode which allows integrating Acra without altering the client application code. It’s called AcraServer’s Transparent proxy mode and allows you to configure AcraServer to parse SQL queries and to encrypt values designated for specific database columns. Transparent encryption mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.
Now AcraCensor is even more useful for preventing complex SQL injections: new flexible configuration file describes how AcraCensor should process the incoming SQL queries – log, pass, block, or ignore them. Each action is described by a separate handler, and you can combine handlers in a different order.
The most exciting feature of this release is Secure Search. Now you can run SQL queries over encrypted data allowing users to search through sensitive data without exposing it. It allows including Acra-protected records in WHERE clauses of SQL queries and perform proxy-side search over the protected lists of data. You can fully utilise cryptography even where search over protected data is required. This feature is only available in Acra Enterprise version.
More details about the new Acra CE release:
Transparent proxy mode
Transparent proxy mode allows you to configure AcraServer to encrypt records in specific database columns without altering the application code. The application flow doesn't need to change: application sends SQL requests through AcraConnector and AcraServer to the database. AcraServer parses each request, encrypts the desired values into AcraStructs, and passes the modified requests to the database. To retrieve the decrypted data, your application talks to AcraServer again: upon receiving the database response, AcraServer tries to detect AcraStructs, decrypts them, and returns the decrypted data to the application. Read more details in the Changelog, Readme, and in the Acra documentation section dedicated to Transparent encryption (#285, #309, #314).
AcraCensor – SQL firewall to prevent SQL injections
Improved stability of AcraCensor, switched to more flexible rules' configuration.
Breaking changes: Introducing a new format for configuration files, the previous format is no longer supported, you should migrate to the new one.
New configuration file format allows configuring the allowlist and the denylist separately or simultaneously.
allowhandler allows something specific and restricts/forbids everything else. The
allowallhandler should be a final statement as that means that all the other queries will be allowed.
denyhandler allows everything and forbids something specific. The
denyallmeans "block all queries!" (that haven't been allowed or ignored before).
For each handler, there are settings that regulate queries, tables, and patterns. The order of priority for the lists is defined by their position in the configuration file. The processing priority for each list is as follows: queries, followed by tables, followed by patterns (#298, #297, #304, #306). Read more in AcraCensor docs.
Added version to the configuration file. This allows detecting an outdated configuration easily. From now on, AcraCensor supports explicit configuration version and logs errors if the configuration is not valid (#321).
Added ability to log unparsed queries to a separate log file for the debugging and configuration purposes. Sometimes AcraCensor can't parse all of the incoming queries and it is useful to have a separate log for them.
How to use it: Provide the path to the unparsed queries log file in the configuration file
Improved support of PostgreSQL queries ("RETURNING" clause) and quoted identifiers (now you can use
WHERE "column"=1) (#296).
Fixed the bug in QueryCapture log that caused duplicated of records in the log to appear (#318).
Fixed handling of null-size packets in PostgreSQL protocol (#286).
Fixed handling of setting a custom connection API port (#294).
Fixed handling of the plain text data response: if the database returns a plain text response, it is redirected "as is" (#305).
Fixed handling of casted placeholders in expressions like
SELECT $1::type1::type2 FROM table1 WHERE column1=$2::type3::type4(#328).
AcraServer, AcraTranslator, AcraConnector
Added on-start version logging to make it easier to understand which version is running (#319).
Added versioning for configuration files of each service (#322).
Updated some configuration parameters descriptions for better user-friendliness (please see our docs of AcraConnector and AcraServer for detailed descriptions of each parameter and usage examples) (#329).
Updated AcraWriter for ActiveRecord (Ruby), fixed dependencies, added support of mysql2 adapter (#287).
Improved distribution of AcraWriter for Android, now it's available via Maven (#310).
Example projects and demos
iOS Swift example project that shows how to generate AcraStructs with and without Zones.
Android example project that shows how to integrate AcraWriter library into Android app using maven, and then to generate AcraStructs with and without Zones, and to decrypt them using AcraTranslator.
AcraCensor demo that shows how to configure AcraCensor for SQL injections prevention in OWASP Mutillidae 2 example app.
Protecting data in a Rails application demo based on AcraServer, PostgreSQL, and Ruby on Rails client application.
Protecting metrics in TimescaleDB demo based on AcraServer, TimescaleDB, and Grafana.
Transparent proxy mode demo that shows how to configure AcraServer in Transparent proxy mode to protect Django-based application.
Related blog posts
Features coming soon
Pseudonymisation: an early version of pseudonymisation library/plugin for Acra for transparent data pseudonymisation.
Cryptographically protected audit log: protection for logs against tampering.
Updated AcraServer documentation to describe Transparent mode in more details.
Updated AcraCensor documentation to describe the new configuration format and procedures for migration from the previous one.
Updated AcraWriter documentation for iOS and Android to reflect the improved installation ways.
Originally we planned to release the new version on the 2nd anniversary of the first public release of Acra on March 7 but decided to have a celebration instead, but it’s still Mercury retrograde and it’s Friday so we’re staying true to the tradition of releasing things on the most jinxed days possible ;).
Enjoy Acra — try it now!
Want to try Acra with no coding? Request access to Acra Live Demo now, it’s free!