If i include a properties file in my project that contains a database password, how do i stop someone from browsing the .jar file and accessing it.
Currently i have it hardcoded, but you can decompile and access it even with Obfuscation.
Is there a best method for handling sensitive data in app code?
Short answer: You can't
Longer answer:
Protecting a JAR file is not really possible if the attacker has access to the file system and hence the JAR file. You could encrypt the property file that contains the database password, but then you're facing the same issue again as to where store the encryption password.
In the end, having passwords stored in property files is not optimal for security. If possible, you should use a password safe with an API usable by your application. Cyberark or Vault (and many more that I don't know) are examples of such password safes.
Related
In my application, users can upload any kind of files.
I would like to store them (or their data, byte[]) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
Edit
As ideal I would see an api which I can pass the file-data as byte[] which takes care of en/decryption. This way the java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
Edit 2
The comment from #Jared points to an article which kind of sovles my requirement:
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
The application runs under a system account so encrypt a folder for only that account.
Store the uploaded files in that encrypted folder.
Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.
This is more just a general thought and speculation from my side, being a student of Computer science.
Lets set the scene:
Lets assume that I have created a wonderful application in Java that I plan on selling in the future. The java application has a complex structure and uses connections to a database using JDBC etc to connect to the DB, get the information from some table in the DB and then work with that data.
To be able to connect the Java program to the DB i have to give the program some information of the DB such as the link, username to the DB and its password.
My DB holds alot of information that I do not want others to see without authority.
But these informations are clearly visible in the java code i created. How sure can I be that no one can access this information after the app has been compiled into a JAR file or a .EXE file?
This might be a dumb question, but I'm just curious.
Thanks
Don't compile the user & password values into your Java application. Write your application with the ability to read those values from an external properties file. Then it's your customers' responsibility to restrict access to that file so only trusted users can read or alter it.
Security concerns aside, configuration such as DB connection strings, usernames and passwords is not part of the shipped application but an installation specific setup. All the application needs to do, is to expose a simple way for the end users to spell out these settings (e.g. property files, xml, etc...).
With this approach, it is the users responsibility to secure usernames and passwords.
Short answer, you can't. If it's in the jar or exe, it will be visible. Your best bet is to encrypt the compiled files.
There is really no possible way to prevent someone from decompiling your code back to something akin to its original state. You could make it more difficult, but if someone is determined, they can get it back to code form. As such the correct response is to not put any sensitive information into your java code. Put it somewhere else.
In this case, you might consider moving the information you want to client to access in your DB to a different DB, that doesn't contain sensitive information. Alternatively, if your database software allows it, create a new user on the DB, that only has access to the data the client will view, and use that login in your java program.
EDIT: mysql users
To create a new user in mysql run the following command:
CREATE USER 'username'#'hostname' IDENTIFIED BY 'password';
if you want the same user to be accessibble from any host replace hostname with %
This user is created with no permissions by default, so now onto adding permissions. Here is an example
GRANT [permission_level] ON database.table TO 'username'#'hostname';
Replace the table name with * to specify every table in the database.
for a full explanation of the syntax of these options look here: CREATE, GRANT
This should help you restrict who can access what in your mysql database.
I recently found that the databases of Android apps are totally exposed. That said, my configuration is exposed, I save there passwords.
So, now my doubt resumes on java code.
String value = "example";
This could be an example where I store a password to pass by reference to webservice.
People, with some kind of software (like this example Is there a way to get the source code from an APK file?) could be able to get all the code? (I tried to follow the steps without success)
I read about http://developer.android.com/tools/help/proguard.html, how do I know that it's already implemented in my project?
When you create an Android project, a proguard.cfg file is
automatically generated in the root directory of the project.
I checked my root directory and I don't have that file.
Thank you guys.
Obfuscation does not guarantee that your code won't be de-compiled. people who get your apk will still be able to review the code (although the flow of the app will be significantly more difficult to understand). Function names, variables and class names are changed but the code is still viewable.
password and other sensitive information should be kept in Android's keychain , where it's protected. never save passwords in a configuration file (preferences file).
You can look into encrypting your local database with sqlcipher. Proguard obfuscates code but will not hide your passwords if you have them hardcoded anywhere, it is not a tool to be used for security[reference]. Also all of your network traffic is vulnerable unless you use some sort of TLS.
As you describe your app now it is trivial to get the passwords in your app.
You can use char[ ] instead of string data type for storing sensitive values like password. This will make it difficult to recover if someone takes memory dump as value is not present string literal pool if used char[] data type.
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.
Till now, i have been creating a file (txt/excel) using buffered Writer for creating a text file and JExcel API for creating a Excel file. These files i have been creating using Java only.
Now i want to make the file password protected in both the cases, that to something like, the file can be accessed by number of people, but only selected may access it using there own login ids/password.
Is it possible to do so?..
Thanks
The answer completely depends on what way you want to open your protected files.
If it is opened by your (java) program or an application, then you can simply simply encrypt it with a password upon saving, and decrypt it with something the user provides,
and use some checksum or header to see if the result is valid - or some garbage due to bad password,
some crypto APIs will do it for you right out of the box.
Second option - if you meant encrypting files with a program (like a notepad file, or something), and you expect windows or notepad to ask you for the password, then it depends on the format of the file you use. Some can be password protected, some can not -like text files usually associated with notepad). In this case password protection works as described in the format's own documentation, and you have to research a bit, I guess it will be too much work
we can do password protection of zip files with the core Java API.
Yes, it is possible to do that, you would have to write your own encryption and decryption tool or write a plugin for excel to do the decryption.
Usually the best approach is to use the security of the OS and specify which users can read or read/write the document. This is transparent to the user and doesn't require a encryption/decryption tool.
yes it is possible. You can use either AES or DES encryption. password is nothing but the key using which the file can be be encrypted or decrypted. you can create your own listener which will prompt you for password. If you enter the password then it will take the password and try to decrypt the file