I'm working on an application that requires I save a field between application uses, so that I can retrieve the data during the next use (ex. save username when logged in, retrieve it and pre-populate username field when application is next launched). I've looked around and found a couple ways to accomplish this goal, such as encryption & saving in a file on the local machine, and saving the value in the Windows registry. Are any of these methods better than others for accomplishing this goal? Any other suggestions?
You can store it using the Java Preferences API which will store a small amount of data in a system-specific way. On Windows, I believe it stores it in the registry, but on a Mac or on Linux it will be stored in a manner appropriate to those systems.
The data is stored, for the current user, under a key that is specific to the package of your class plus a string of your choosing. See the Preferences API Overview for more details.
Related
What could be used instead of Shared Preferences for storing user information? People say Shared Preference is not Secure.
You can use SQLCipher library for encrypted database or encrypt/decrypt values yourself with some key and store result in SharedPreferences. To store keys use Android keystone system.
If you are storing information in the users' device, no approach is 100% secure. You can hide the information in some ways (eg. encoding, encryption, etc) but still won't be 100% secure.
In order to make your information secure, you will need to store the information in a remote server.
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see.
You can also use Database with encryption like whatsapp. Its a best way for security point of view. If you want you can hide the Database also.
This is more just a general thought and speculation from my side, being a student of Computer science.
Lets set the scene:
Lets assume that I have created a wonderful application in Java that I plan on selling in the future. The java application has a complex structure and uses connections to a database using JDBC etc to connect to the DB, get the information from some table in the DB and then work with that data.
To be able to connect the Java program to the DB i have to give the program some information of the DB such as the link, username to the DB and its password.
My DB holds alot of information that I do not want others to see without authority.
But these informations are clearly visible in the java code i created. How sure can I be that no one can access this information after the app has been compiled into a JAR file or a .EXE file?
This might be a dumb question, but I'm just curious.
Thanks
Don't compile the user & password values into your Java application. Write your application with the ability to read those values from an external properties file. Then it's your customers' responsibility to restrict access to that file so only trusted users can read or alter it.
Security concerns aside, configuration such as DB connection strings, usernames and passwords is not part of the shipped application but an installation specific setup. All the application needs to do, is to expose a simple way for the end users to spell out these settings (e.g. property files, xml, etc...).
With this approach, it is the users responsibility to secure usernames and passwords.
Short answer, you can't. If it's in the jar or exe, it will be visible. Your best bet is to encrypt the compiled files.
There is really no possible way to prevent someone from decompiling your code back to something akin to its original state. You could make it more difficult, but if someone is determined, they can get it back to code form. As such the correct response is to not put any sensitive information into your java code. Put it somewhere else.
In this case, you might consider moving the information you want to client to access in your DB to a different DB, that doesn't contain sensitive information. Alternatively, if your database software allows it, create a new user on the DB, that only has access to the data the client will view, and use that login in your java program.
EDIT: mysql users
To create a new user in mysql run the following command:
CREATE USER 'username'#'hostname' IDENTIFIED BY 'password';
if you want the same user to be accessibble from any host replace hostname with %
This user is created with no permissions by default, so now onto adding permissions. Here is an example
GRANT [permission_level] ON database.table TO 'username'#'hostname';
Replace the table name with * to specify every table in the database.
for a full explanation of the syntax of these options look here: CREATE, GRANT
This should help you restrict who can access what in your mysql database.
I have an application which supports multiple accounts (max 8). These accounts are local to the app. Each account has the following parts
Name of Site
Site tel number
type of control
username
pass
Currently I plan to implement them by using shared preferences. I will define keys for all the elements of 8 groups and save/retrieve them using shared preferences. I would like to know is this a good approach or should I use another approach?
Thanks in advance
It is better to use SQLite database for implementing your requirement. The main advantages of using this is
1. Can check username and password in easy way.
2. Can add more users in future.
SQLite Tutorial
'SharedPreferences' are stored in the data directory for the app, but if the user has a rooted device, this file can easily be accessed and read with just a text editor.
For storing account information, you should look into using MySQLi and data encryption.
As you have limited number of accounts and just a few settings for your accounts, that will work ok for you as you have up to 40 settings to save. It won't cause performance problems and you can write some kind helper class to manage those shared properties easier.
You should think about whether you want to increase the number of accounts in the future. If this is the case, you should consider SQLite database.
I wish to be able to keep a score that a player gets when playing my game from game to game and to when they close the game and re-open the scores are still saved. The only way I can think of is to do so using a text file, like I would of done in VB6. However, that then means that they can edit the text file? Or not? My score is stored in a "double" that can be accessed from any class and is being transferred around classes as it is, if that makes a difference.
Hope someone can suggest the best way to go about this.
If keeping the score secret and non editable is very important, I suggest you either store the score on of all players a secure server that only you control, or if that is outside the scope of your project, use an encryption method and also store the score as binary data (i.e. store your gamestate object, not the score itself) instead of a text file.
Any app. that has a GUI can be launched using Java Web Start & use the PersistenceService. Data in the persistence service is not easily accessible to the end user. Here is a small demo. of the persistence service.
As to how to store the data, If it is not absolutely vital to prevent the user from altering it, I would use a Properties object or XML/POJO.
If it is very important (e.g. gamers competing for a $10,000 prize), encrypt the values, then go with the remote server, encrypted (etc.).
You can encrypt the file using one way or another, so it will not be easily editable (and editing attempts may corrupt the score at all, consequently.) Here is a simple example of AES string encryption.
If you store the file on the local machine, obviously every user that have read/write permissions on that file could modify it.
I suggest you to follow one of these ways
Encrypt the file and decrpyt it on open
Save it onto a remote file onto a server
Use a DB
What have you tried? It seems to be some kind of homework for me.
You can read and write Files with Java. You can also do object-serialization or use an embedded database.
update:
I would suggest to store all information within a database at the server. There are many way to do this. The concrete implementation would depend in your backend.
So I'm writing this JFrame application that has its own document model that can be loaded and saved to a filepath. I'm wondering what good ways are there to make the application open the last saved file when it starts up.
Do I store last saved document filepath in a proprietary way or is there some facility in java that can handle this for me?
Why not use the Java Preferences API ?
That allows you to store settings/properties per user and/or per system. They'll be persisted automatically (via files in Unix/Linux, and in the registry in Windows, IIRC).