Review of AppGini
Review of AppGini
I recently purchased AppGini, a Windows based tool that can generate web-based PHP driven websites. This review is based on version 5.62 (May 8, 2017 release).
Update on 22.01.2018 – The solution does in fact have a date picker.
Update on 03.02.2018 – Updating the issues fixed in 5.70
What is it?
AppGini is a tool that will generate database driven websites for you. You provide it with the database schema, and it will generate PHP code, with all the bits and pieces necessary to produce a fully functional web-based application. I see the application more geared towards small businesses that need to maintain some basic information. That does not mean that enterprises can’t use it either.
They offer a trial version with limited functionality. The license for the app is $79US, which includes a year’s worth of upgrades.
Let me run through some of the things I have found.
- The themes in the tool are based on Bootstrap. It renders beautifully. On all the browsers I’ve tested, the colour schemes look great, the usability on both browser and mobile is flawless.
- The tool is really simple to use. Within minutes, you can have a fully running application, with no hassle at all.
- Even the generated web application is easy to use.
- I really liked the idea that tables can be linked, and that parent/child tables can be displayed on the same screen.
- The security model on how to restrict access to tables and records works really good. I like the way it was build in the application.
While their website claims that the tool is secure, I did identify a number of security issues, which I have reported to the vendor, who has confirmed to me that they will fix it in the next release.
- Passwords in the database are stored with the MD5 hash. This is so 1990. MD5 is badly broken, and should not be used.
- The Remember Me function creates a cookie with the combination of username and password, also hashed with MD5. This is nasty. There must be an easier (and more secure way of doing this), like how about just use the session for this?
I also noticed that the session cookies are not set with HTTPOnly. Anyone who manages to intercept the browser would be able to read the session cookie.
Other issues I have discovered
- In the event of a failed logon attempt, the password is sent via a hook to an external procedure (that can be customized by the programmer). As a security professional, I don’t like passwords being used for purposes other than what they are intended for. It should not be passed around.
- There is no strong password validation. At the very least, the application should allow some policies to be set (ie minimum length, upper case, lowercase, numbers, etc)
- There is also no forced password change option.
- There is also no option for account lockout after x number of failed attempts.
- There are no internal logging of any kind. If you put your security hat on, you will want to know who accessed (or tried to) the application, when, and from where. At the very least the tool should record login, logout, as well as failed logon attempts. This can be resolved with hooks (but why should I build a hook for this? The tool should just do it!)
I was expecting a proper date picker when I use dates in my application. AppGini would just create 3 boxes for year, month, day. It’s not a problem, but I would have expected a proper date picker tool. There’s plenty of them (free ones) that can easily be integrated into the tool.
- There is no reporting feature. While I do appreciate that this is an application generator, and not a reporting generator, at the very least there should be the ability to write custom SQL queries that can be displayed within the application. There are some workaround on their website available that describes how you can achieve this.
- I did say I liked the Security model, and I do. What I did not like, was that the security of the generated application has do be done within the web application, not the development tool. At the very least, the development tool should allow you to enter some basic details on the security model. Groups, and the access each of the groups has, should be part of the development tool, not the Web tool.
Things that need to be improved
- Authentication is a big one for me. With so many breaches being reported every month, we don’t want to continue adding to the list with tools that could provide attackers an easy way in. It is really simple to include things like Multi Factor Authentication, be it through Google Authenticater, or a Yubikey. Those should be standard in my opinion.
- A nice to have feature, would be the ability to logon via Facebook, Google, or any other OATH2 provider for that matter. Not difficult to do, and would also save a lot of issues.
- And of course, with more businesses moving to the cloud, federation would also be a very nice to have. It would help to propel the tool into the enterprise space.
AppGini for me will score 4 out of 5. It is not perfect (but no tool ever is). For what it is built for, it is functional, and it does the job. For $79USD, it is good value for money. I would not run any sensitive data management on it (until the security issues are resolved). Watch this space. As the issues get resolved, I’ll update the post.