I have an application that use a .properties data containing password from DB, this application will be used by my client but I don't want to give him any kind of access to this properties data, not even if we look in the .jar. I thought to use zip4j but is there any another best solution for this because when I unzip it the .properties will be decompressed somewhere giving the client access to it doesn't it??
This cannot be done. Just forget about this idea and re-think your system.
You can't provide read access not providing read access at the same time.
This is a wet dream of legal depts in the media industry. They invest piles of money in solving this insolvable problem with DRM that never works, but annoys everybody.
You can make it more annoying to extract the data - using various obfuscation techniques - but that's all.
One of those ideas is to encode the passoword in C++ library and link it via JNI. Then the user cannot extract it without disassembling the binary file, but will be able to make memory dump at runtime anyway.
You can read the password from central server at runtime. You can use one-time passwords for that. Again, this is futile if the user has modest technical skills, as you can still request the server for the password using curl or some simple script.
You can use hardware access-token that will allow connection to the database (smart-card or something). This was quite popular technique in '90.
All you can do is to add some level of annoyance which will stop non-technical person. With enough money you can build some decent DRM that will stop technical-savvy people for a while, but I seriously doubt it's worth the money.
If the database access is so precious that you can't give the user access to it, yet he needs it, your design is broken.
Related
I need to add something that generate an activation code in my android app so the app features should work only if the app is activated. what is the best way to do that ?
If I understand the question correctly, what you want to achieve is technically impossible.
Any functionality your app has is already there in the app, downloaded to the client. A user can use a debugger to disassemble the app file and change your source code to either not require an activation code or accept any code (whatever is easier, but both are possible). Anything you give to a client should be considered as being fully controlled by the client, any logic in there can be changed, secrets can be seen, etc.
This may not be straightforward, especially if you use some kind of an obfuscation, but it will always be possible. The question is only the effort needed.
And the effort is key here. In some scenarios, protecting low-value resources, it may be good enough to deter the lowest profile attackers. It's always about risk and the cost of protection. But you need to be aware of the above, that the logic in an app cannot be protected.
So if you want to protect your stuff, you have a few options for different scenarios:
Have two separate apps, one free without paid functionality included and one paid. Users can use the free one and then buy the other if they want.
Have paid functionality served by a server. If critical business logic is on the server side, you can really enforce access control rules and you can maintain control over who has access. This may have serious implications on your app architecture and functionality though.
If the value you are trying to protect is low, you can go for obfuscation and access control logic in the app as mentioned above, but you need to be aware that this can be cracked relatively easily, especially on Android by changing the apk.
I believe you cannot do this with just your app, you definitely need the help of server which would generate an activation code for you and match it with the logged in user. Once the generated activation code is passed on to the user via email or any other means, then you can match the activation code given by the user and then match with the one in the server and if they match, let them use the features.
I hope this is what you want. But I might even be dumb enough to misunderstand you. Let me know if this is what you want.
My client wants to setup a script/file in Ubuntu in one of my client's contractors system to monitor his work/sites visited etc as long as he is in office.
His contractor will have root access in the system, so how can we make sure that the file cant be changed ? Deleting wont help him as his boss will know that because he wont get the online reports anymore after deleting.
But he can change it to the way he wants. Actually, we can write a java.java file or python or some program file but I found that even java.class files and python.pyc files can also be decompiled.
So, he can easily know the program and can easily change it.
So, any solution for this ?
Assuming you have legal issues taken care of, your only hope seem to be Encryption and Security through Obscurity.
Go for languages which are tougher to decompile, such as C/C++ (see this)
Ensure that you collect a lot of data, and store all the data encrypted so the client cannot directly access it.
Try and obsfucate to hide away your encryption keys, as well as the encryption algorithm.
Send the data from the contractor's system to the server encrypted.
Possibly also monitor whenever the contractor killed your process.
The best solution would be not to do this.
Now I don't know about your country's legislation, but in mine, any solution of this sort would be highly illegal. If the client is worried about the contractor, there would be other means of "monitoring" them.
Daily reporting
Set up a proxy blacklisting sites, possibly enforcing it over network tools
Actually meet the person and talk with them about their achievements, difficulties and such. Not inquiring, actually caring about how the project is going. If that doesn't motivate the contractor to work, nothing will.
I'm looking for a way to generate a key on my app to connect to an API on my server, in the past users have decompiled the app and found the key, but with this method they can see how I generate the key but can't generate themselves the same key.
But still not sure if it is safe to use:
getClass().getHash();
Along with HTTPS it should be safe or am I missing something?
No, it's not secure. If one can decompile your code, then he/she can always retrieve any stored or computed information, even if obfuscation takes place (it would be harder to spot it, but again one can dig more and find it).
Check this similar post suggesting Jasypt or some other practices to use/store passwords in your projects.
There is still no safe solution to store credentials, as a successful decompilation can always retrieve it. You could ask from a user to type a password on each run and temporarily keep it on memory, but it seems you are interested in keeping this information secret even from your legitimate users. Also, if you use a client cert, then one could copy/reuse it in another instance of your program.
One could even utilize embedded devices (eg smart cards), where you need advanced hardware intervention knowledge and tools to extract private keys/passwords. But again, you need a sophisticated protocol (eg combining MAC/IP), as an advanced hacker could perform a replay attack (copy/paste/share the encrypted output of the smartcard), so he can use it on another run instance.
That's why there is still software piracy out there! Find a working solution and you'll get rich!
I have created an informational android app where we manually entered lots of data using our resources.It uses sqlite database.
I know it virtually impossible to protect the database 100% but I want to make it difficult so that every tom,dick or harry does not just runs a reverse engineering software in apk and get the database and create a new app or use it as a part of their app(information is found every where but our data entry effort is all wasted)
So, How can we protect our database?
I saw some SQLCipher and some other libraries.
But I found that actually the password are hard-coded in java files which can be easily reversed engineered and will be available. So,I am not understanding how it really protects rather than adding just another easy to crack layer.They will just get password from file and open that database. Plus it is increasing the application size as well.
So how does it really protect from real thief?
Am I missing something?
I just want to protect my database(even not bothered much about code for now).
Any help or suggestions?
Thank you.
SqlCipher, this will might work in your case and best security provide
I am writing a small webserver for my house to play around with a few java API's I want to know better. This web server will eventually hold personal files and pictures.
I did not feel like setting up an LDAP server for authentication and was wondering how bad would it be if i just had the java code check it directly?
As long as you take proper precautions not to distribute or publish your source code, having a hardcoded password is most certainly safer than having a network service validate it. There are two problems, however:
Keeping your source code secret may not be too hard, but you can easily forget that you hardcoded the password in the future an become careless about the source. You may want to copy it to a friend, or publish it on github.
Having the password hardcoded means that someone that compromises your code may easily learn the password. A tried-and-true network authentication solution will not be ridden with vulnerabilities - your code almost certainly will.
A potential alternative you should consider is to keep a plain text file with the password, and read it as necessary. It mitigates (but doesn't eliminate) these two issues, and will also allow for a bit more security if your OS supports the proper file permissions and user privilege separation.
As always, avoid using a password repeatedly for different services. Since you'll have untested code facing the internet, remember to implement proper OS-level counter-measures.