As we know that a java jar file can be easily reverse engineered to get the source code, how should I distribute my twitter app which has been made using twitter4j so that on decompiling the jar file, the user is not able to get the app key and secret?
You can use a obfuscator program like one of the below suggestions:
http://proguard.sourceforge.net
http://www.yworks.com/en/products_yguard_about.html
http://www.e-t.com/jshrink.html
http://home.comcast.net/~shvets/Programs/Tools/CafeBabe/
Related
I have a Spring Boot App that is a consumer of a cloud API. The API key for that API is externalized using an #Value annotation. Generally, we create a separate run.sh file that looks something like this:
java -DaccessToken=abc123 -jar my-app.jar
One of our customers, wanted us to encrypt the run.sh file, so the API key wouldn't be stored in plain text on the file system, which we did using this method.
Now, that same customer also wants us to automate their rotation of the API keys every 90 days. It's fairly simple to request a new API key within the APP and then delete the old API key, but is there a way to securely store the API key in such a way that the APP can be restarted if the host computer restarts, but the API key is not stored in plain text on the OS. I can't think of a way to do this without storing something unencrypted.
Thanks in advance for your help.
I need to upload some files on my server.To problem is that the files are encrypted(.p7s extension) and i want to decrypt them first.
This is the application i'm using to remove the encryption
There is anyway to remove the encryption directly from my java code?I read something about bouncycastle library, but i really don't know how to use it.
Thanks in advance.
There is a Application called Keytool to read those files. The app is distributed with every java sdk. The code is implemented in Java, so you should be able to debug the application.
No need for bountycastle, even if the documentation is better.
Would anyone please take the time to step-by-step document this seemingly simple task?
I am new to java and the latest Google Cloud Platform APIs. I cannot figure out how to do the simple task of uploading a file to Google Cloud Platform from an Android App. Most examples are three years old or are not end-to-end. Either way, they fail so mysteriously at some point that I cannot figure out how to proceed. For example, the exception I'm getting with using the simple-cloud-storage demo is "null." I can't even figure out what is generating "null."
So far I've only been successful in doing something by using the endpoints tutorial: https://cloud.google.com/appengine/docs/python/endpoints/getstarted/clients/android/ But there is no talk about exchanging files in that demo.
Complete code example is here. This code example was created from the Google HelloEndpoints tutorial. This is probably a terrible implementation of using GCS in Android, but it works unlike most examples currently available.
Steps to achieve this:
Create a GCS bucket with service account credentials.
Get a .p12 private key and place that into src/main/res/raw. You have to remove the .p12 extension and replace the - with a _. You
need the password, too, so keep that handy.
Look in MainActivity.java at public void onClickFileChooser(View view). What this does is call a class that allows you to
navigate and select a file. There's some commented-out code that
checks with the server for an upload URL in case you want to try to
store the file with the blobstore API. I could not figure that out,
so I tried GCS. The GCS stuff is the next bit of code. You'll notice
it's a two step process. There are some globals defined for GCS
because I'm not a good programmer.
The first step is getting a "Google credential." The code loads the private key with keystore.load(getResources().openRawResource(R.raw.thomasmhardy_ebc515c808a6)
and does some other stuff. You might have to change the key
password. Look for "notasecret" and replace that with your password.
The actual storage of the file is next. You'll see the URI is set per the Google example. Next, I set up an asynchronous
task because Android does not want you doing anything on the network
in the main thread. The task first refreshes the GoogleCredential.
Once's that's complete, it uses android-async-http to post the
file to GCS. Note, the header for Authorization concatenates "Bearer
" before the access token. That uploads the file.
All this requires a few dependencies. Check out the gradle.
I also had to enable multiDex.
Note: I removed the contents of my private key "thomasmhardy_ebc515c808a6."
I'm writing a small Android app and I need to hide some variable values. I have a API key I got from the content provider who is providing me content to show in my app that I need to retrieve data from them. Because it is being used in an encryption algorithm, it is of vital importance the code isn't leaked.
I need to save the API key in my code and be sure it isn't retrievable by the bad people in the world. What I do now, is save them in my code as a variable:
private static final String API_KEY="mysupersecreatapikey";
After the app is compiled to an APK file, this is, in my opinion not retrievable anymore. Am I doing it in the right way now, or is there a better solution?
Thx in advance,
Daryl
You could store the API key in a file located in storage. You can encrypt the API key when you write it to the file and then you can decrypt it when you are reading it (upon program execution)
If you put the API key into the client in any form that can be used by the client it will be possible to get to it somehow. Maybe by unwrapping the APK and decompiling the code, maybe by traffic sniffing. That private static final variable for example can likely be extracted by a decompiler (if it's bytecode).
If you want to make really sure that none of your users can get to the API key then your app shouldn't be using it directly. Instead have it connect to a web service you set up that serves session IDs for example. That web service that runs on a server that you have control over (quite a few options) would then be the only piece of software that knows the API key.
But depending on the use case this might be a complete overkill solution to this problem.
I want to make setup file for java swing application .
I am creating the setup by writing the script file and selecting the source file as jar and other necessary resources .
Now i want to make my jar disable to extraction .
Is there any way from which i make sure so that no can access the resources from my jar file either the class files or images etc.
thanks in advance
You can make it harder to get your resources, but you can't make it impossible. That's not a Java problem, by the way, but a general one of distributed software. In order to access your resources, your program (or in the case of Java the runtime environment) must be able to unpack them. Even when you encrypt them somehow, the program needs to include the decryption key and the decryption algorithms. A determined user can find these through reverse engineering, and use them to get your resources.
You could try obfuscating your codes.
This is the one I have used for obfuscate.
http://www.zelix.com/klassmaster/
You could find more tools for that.
You can use java webstart, your jars will be kept in cache so very its hard to access.
Java Web Start Guide