I'm trying to secure a java app that I'm working on. This app has service wrapper that contains a list of parameters, among these a database password. So there are 3 solutions but I'm not sure that any one of them is possible.
1) encrypt the whole file without yet keep it usable.
2) store an encrypted password and add a encryption function to the file
3) create an external program that restores the encrypted password and call it's result in the wrapper.config file
After desperately searching the internet for a response I didn't find any helpful so I'm hoping to find someone who had a similar issue in here.
Another alternative would be to use a key store, as shown in this blog post, however you would still need to find a safe place to store the key to the key store itself. To go around this, you could make your application ask the user the password to the key store, this way the data will be secure but you do not store any (keystore) passwords. That being said, if you are willing to ask your user for a password each time the application switches on, one might as well simply ask the user for the DB password right away.
If you are encrypting the file, you would still need to ship the key with which the application will need to do the decryption. This would mean that potentially users would still be able to look into your application and decrypt the file as they please.
I think that if you really want a safe solution, the answer would be to simply not store the password yourself, but rather ask the users for the password each time.
Related
In my application, users can upload any kind of files.
I would like to store them (or their data, byte[]) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
Edit
As ideal I would see an api which I can pass the file-data as byte[] which takes care of en/decryption. This way the java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
Edit 2
The comment from #Jared points to an article which kind of sovles my requirement:
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
The application runs under a system account so encrypt a folder for only that account.
Store the uploaded files in that encrypted folder.
Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.
I'm building an Android app in which I need to encrypt the database. For this I now want to use SQLCipher. I'm now reading about it, but there's something which I don't understand; where does the password reside? Should it be stored somewhere in the Java code, or can the (4 digit) passcode of a user be used to encrypt and decrypt the DB?
And thinking further; what if I have multiple users that can log into the app (I always confirm the passcode with our own API), is it possible to give several users with different passcodes access to the same database (i.e. decrypt it)?
All tips are welcome!
where does the password reside?
In the user's head, or some other place the user elects to store it.
Should it be stored somewhere in the Java code
Not if you want useful security. Anyone can reverse-engineer the app to get the hard-coded passphrase.
can the (4 digit) passcode of a user be used to encrypt and decrypt the DB?
I have no idea what you are referring to. You are certainly welcome to prompt the user for a passphrase. Please do not limit it to a 4 digit value, though, as that can be brute-forced very easily.
is it possible to give several users with different passcodes access to the same database (i.e. decrypt it)?
Not really. SQLCipher only supports one passphrase per database. You can have different databases per user, each encrypted with the user's own hopefully-decent passphrase.
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.
The other day, Google notified me that my Gmail account may have been compromised as it had been accessed by two IP addresses from out-of-the-ordinary locations. Since I generally (and stupidly) use the same password for every website, I decided to change things up and use different passwords.
Being an Android developer, I have decided to start developing a password keeper application for which I can store my usernames and passwords, as it is difficult to remember different passwords. I do not want to take the easy route and download an existing third party password keeper application.
This got me thinking, what is the best way to secure usernames and passwords in my application? Currently, I require a password to view a list of accounts that can be added. I am also storing usernames and passwords into a database. It seems that Android cannot natively encrypt a database, however. I could encrypt the values that I store in the database, but if someone got their hands on my phone, they could find out the encryption if they really wanted to. Or, I could use a server for encryption/decryption, but then you have a server that has to be maintained and can be compromised.
I would love to get some opinions on the topic. While I know that perfection cannot be achieved, what would be a good method to implement for my Android application?
You are certainly going to require the user to provide a PIN or password every time they want to add/view the password list, right? Why not use that as the encryption key, meaning that if someone gets your phone they still cant acces or decrypt the passwords without knowing the user defined key.
take a look at the application 1password they are probably the best password keeper app on the market. Their philosophy is they store all your passwords behind a 128bit encrypthon where you use your 1password to get in. Other than that all website passwords are randomly generated alphanumeric strings. So there is really no collision chance and you are safe where ever you browse.
You shouldn't use a server that just means that people can assume their passwords are sitting somewhere and if you are a good app developer the passwords on the server will be just as secure as if you store them client side.
As for finding out the encryption if they "really wanted to" That is really up to the user picking the one password they key all their information with. Yes, it is possible to crack encryptions with brute force but if the user picks a non dictionary alpha numeric string, the probability of getting through is near impossible. Also if you encrypt everything properly, they cannot just "break" the encryption.
Last just because I can
Credits XKCD
What would be the recommended way for storing passwords in a Java desktop application?
I want the user to have the ability to enter the credencials only once and not be prompted again.
On personal projects I've been using the Preferences API, but I'm assuming this is no different than storing it in plain text (security wise).
Many thanks
EDIT:
Many thanks for your suggestions. There seems to be some confusion, no doubt because I might have not made the question very clear...
I'll give an hypotetical scenario:
Say I'm creating a simple front-end for a remote database which creates a connection string with username/password. Normally the user would be prompted to enter the username/password combination each time the application starts.
What would be the best way to store that password in the user's machine, without the need to re-enter it (connecting automatically upon application start).
A kind of "remember me" functionality (which I know in itself is not a very good practice...)
EDIT2:
Thanks for your answers everyone.
PaĆlo Ebermann's was very informative about the problems at hand and Chris Smith's link was interesting, but I've accepted JVerstry's one, as keystores might be the route I'm taking.
You can use a local keystore where you could put passwords instead of secret keys.
Answer to edit:
Keystores are a perfect fit for your need. If you want extra protection, you could ask the user for one password to access all passwords when the user starts the application. Then, you could protect stored database password with a simple salt-and-stretch method (to generate an encryption key) using the one password that was used when starting the application.
There is no way to store something on a computer in a way that your Java program can retrieve it (without the user entering some password), but no other program (running in the same user's account) on this computer can retrieve it.
You can try to encrypt it somehow and hide the decryption algorithm together with the decryption key in your program (white-box cryptography), but then the attacker just needs to run your program in a debugger to let it decrypt the data.
You could use the system's permission system, but this will usually not help if the attacker is some program running in the same user account as your Java program (and would help even less if the attacker has root access).
The best bet would be to store the password on a USB memory and tell the user to take it out when you are done using it, but if the attacking program is running and observing while you are reading the secret from the stick, even this does not help.
Regardless of the language, I think this applies: http://codahale.com/how-to-safely-store-a-password/
In summary, use a bCrypt hash function.
The preferences API is implementation dependent from memory so you will be at the mercy of the JVM vendor. If it's a Sun/Oracle JVM, it's trivial to get at the data. If you hash it and enforce a decent password policy however, it will be very safe. The original password will be very hard to determine.