I would like to encrypt my resources .XML files in the following path: res / raw / fiche.xml and res / raw / so fiche1.XML each time the program uses both files and must first decipher the two files at the end of execution, it re-encrypts both files.
my question: how encrypts and decrypts files that are in the resources and do you have an example (source code) or source code that explains the steps?.
This seems to be a popular question; Google finds a few stackoverflow responses that seem relevant.
I would advise you to not worry about it too much, and not to put anything sensitive into your apk. If you encrypt these files, you'll still have to ship your encryption key with them (so your application can decrypt them). Anyone with the capability/desire to extract your apk and retrieve these files will also be able to easily find and retrive your shipped key, and anyone without the capability/desire to do so will never look for these files in the first place.
Related
I need to upload some files on my server.To problem is that the files are encrypted(.p7s extension) and i want to decrypt them first.
This is the application i'm using to remove the encryption
There is anyway to remove the encryption directly from my java code?I read something about bouncycastle library, but i really don't know how to use it.
Thanks in advance.
There is a Application called Keytool to read those files. The app is distributed with every java sdk. The code is implemented in Java, so you should be able to debug the application.
No need for bountycastle, even if the documentation is better.
I have a file which I'll call A.txt which I use it within java application. This file is shipped together with application, and I want to have a way to verify (within the application) that it is indeed my file, and not one which was for forged.
I have two ideas, but both are susceptible to some attacks:
I ship signature, A.txt and public key as a plain text with the application but if the attacker simply signs his own file, replaces the signature, A.txt and public key the verification will pass.
I hard code the public key into java app - apart from decompiling, if I send A.txt to person A and B.txt to person B and they exchange their txts they will both verify successfully, and I'd rather have person A verify just A.txt successfully.
How can I do this without any possibilities of being attacked? Or how can I implement my ways so that they are safe?
Hiding an encryption key within code can be very dangerous. Reinard had a good idea about the web service that can encrypt and decrypt the file.
Another option might be to hide the key inside the registry or somewhere in a hidden directory. You can also try building your own algorithm that can build up the decryption key.
But what about decompiling? This has always been a major pain for most developers. How do you properly hide secrets within code? You can try using application packagers or scramblers that can slow down the decompiling process. You can also get a java obfuscator like ProGaurd make your code harder to reverse engineer.
I really hope this helps.
In my application, users can upload any kind of files.
I would like to store them (or their data, byte[]) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
Edit
As ideal I would see an api which I can pass the file-data as byte[] which takes care of en/decryption. This way the java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
Edit 2
The comment from #Jared points to an article which kind of sovles my requirement:
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
The application runs under a system account so encrypt a folder for only that account.
Store the uploaded files in that encrypted folder.
Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.
When you compile a .java file into a .class file, if you had a line like
String s = "This is a String"
If you open up the .class file in a text editor, you will see
This is a String
Somewhere in the file amidst the gobblety gook.
Which is fine and dandy for most stuff, but not when dealing with sensitive information like API keys.
Of course, one alternative is to read the API key in from another file, but that just makes it EASIER to find the key, as now the person can just open "key.txt" when they open the .jar file.
So how do you encrypt a string literal in your .class file?
When you send code to a 3rd party, you loose all control over it. Even if you where to embed the API key as an encrypted string, an attacker could still try, and potentially succeed in breaking it, which would make all your encryption/decryption efforts in vain.
The best solution, in my opinion, would be to not provide any sensitive information within the application, but rather provide it with an ID of some sort. Any sensitive values which it needs would be then pulled through the use of a secure connection.
If you use a key to access a 3rd party API there is no way to protect that key from the end-user IF you ship it with your code / application or you want your application to be able to access the 3rd party API without a middleman.
The end-user could just read all data send from your app to the end-point and know the API key. Regardless of any measures you took to encrypt it you will need to send it atleast once decrypted to the 3rd party.
The safe way to do this is to require your user to log in to a service provided by you, send a request to YOUR service and then YOUR service (which is presumably not located on the machine of your end-user) sends a request to the API with the key. So the end-user never knows of the key.
If you store the information in the class file, the decryption key should come from outside of the class. You can crypt the data, but if you have all the information within the class file, you are lost.
You should store API keys in config files. You have a different API keys for development and for the live, right?
Other possible solution is to use KeyStore, which allows you to store sensitive information in publicly accessible format. Only the holder of the secret key can decrypt the sensitive data.
Even if you keep that information encrypted in your class, a hacker can find the mechanism to decrypt that from your code only. So IMHO it's better to keep that encrypted information in some other file, and read that file. Also, restrict the access to that file using OS security mechanisms.
Hi I have a game made in Java and Slick2d and I have a folder that contains all of my resources (images, sounds, etc) and I was wondering how to encrypt them so people can't edit them? I tried MD5 but I'm not really sure how it works and I'm not worried about people breaking into the code because I have spliced the jar into an exe file. Also if I need to know how to decrypt the files so that they can be used in the code please explain that too.
There is no way to protect the images/resources, all you can do is make it slightly harder. If you deliver your images/resources to the client then they can always decrypt them, after all the client has to display them unencrypted at some point in time.
Btw.: MD5 is a hash-algorithm, it is used to check if data is undamaged.
MD5 is a hash function which is irreversible and two input may produce the same output.
in case the content of the files is not 'secret' you can use MD5 for a verification process, this should be quite easy.
Create a hashtabe (or just a table) with the hashes of all the resources your application uses
Once the applet lanched create an hash for each of the files and compare it with your table, if its not the same, someone has changed the content of your jar file.
I'd recommend to keep the hash table within the code so it will be harder to modify
If you are using your resources, you have to decrypt them then the client can use them, because they are being used in the game.