Application security

Let’s try to answer the basic question: “Can someone steal my application?” To answer this question, we consider different kinds of “robbery”: intellectual property theft by leaking formulas, or application usage without consent.

In short: we discuss the security of web applications generated by Appizy, emphasizing that while server-side calculations protect formulas, users could still reverse engineer them. We recommend hiding critical data in separate tabs. To mitigate unauthorized usage, we suggest regularly rotating applications and deleting unused ones.

Server-Side Calculations: Formula Security

The web applications generated by Appizy use server-side calculations. Therefore, the end user only sees the interface ( the tabs that you left visible before conversion) but does not see the formula, nor the underlying data and hypotheses you are using. Your formulas are safe; no end user is able to see them.

This doesn’t prevent the end user from reverse engineering the formula or entering different values to guess some of your hypotheses.

Hidden Cells vs. Hidden Tabs

We have previously mentioned the Best Practices that emphasize the importance of splitting the interface (what the user sees) from the calculations (the brain of your tool). This also addresses a security concern. For Appizy, a collapsed column or row in a visible tab is still there; it’s just hidden. In this case, a malicious user could look at the code of your app and discover some business-critical values in these hidden cells.

The safest way to hide your data is to move everything critical into another tab and hide this tab. Hidden tabs are considered secret by Appizy and will remain on the server.

Private Link: Usage Limitation

Now, let’s move on to sharing your webified spreadsheet. Once imported into Appizy, your spreadsheet becomes accessible through a private URL without authentication. Let’s develop these two aspects and how they impact the security of your application.

The embed link of your application is private. This means you are the only one who knows about it. We do not share it publicly, nor do we send it to any bots for search engine indexation. It’s yours and only yours. Moreover, it’s hard to guess; we don’t use any sort of incremental pattern for the application, making any malicious discovery very exhausting.

That being said, the URL doesn’t have any authentication mechanism. This means that once someone has it, they can access it without having to provide any login or password. It also means that once shared, the URL can be re-shared with other people without your consent.

Membership Consideration

We have many Appizy users driving a business based on spreadsheet tools served as web calculators on a larger website. Many platforms (Wix, WordPress, and so on) offer membership features to allow the generation of revenue streams through private content delivery.

To do so, you simply need to embed the calculators in a private section of your membership platform. Once only paying members of your site will be allowed to use your tool.

However, after discovery, they can gain access to the URL by checking the source code of the page and copying it to access it without using your paying portal. So it is a possible scenario for your end user, let’s call him Bob, to pay for one month of subscription, get the pages and the calculator links, then stop the subscription and continue to use the online tools. That’s where application rotation and sanitization come into play.

Application Rotation and Sanitization

If you are concerned about application usage without your consent, we recommend rotating your applications on a regular basis. Indeed, once you re-upload a spreadsheet to Appizy, you’ll get a fresh new embed link. You can then replace the embed link in the given section of your website and delete the old application. This way, even if Bob saves the link of the old application, it will be totally unusable, forcing him to remain a member of your website if he wants to continue using your tool.

Finally, independently of any membership website, we advise you to delete all applications that you no longer need. This sanitization process will ensure that you remain in control of your application usage.