Problem Description
I am writing application for Android. Application must do following:
Connect to the server using following URL:
http://www.example.com/database.xml?username=xxx&password=xxx
username and password I must keep in the phone and this username and password are same for the all users. For example if 1.000.000 people have my application they all connect to the server using same url same username and password.
Download database.xml file from URL and save data in the SQLite database.
Issues
How I can use URL in my application to be sure that users which have access to my codes can't know from the code which URL I use and also to keep secure my password and username.
Or even just to keep whole URL secure http://www.example.com/database.xml?username=xxx&password=xxx as it is same for all users.
How I can protect my SQLite database. For example if somebody has root access on the phone he can get database open it and get all information which I keep there.
I need to protect my data.
I think you should go for ProGuard. I know its very hard to prevent from reverse-engineering. Following are some post which give some knowledge about this.
How to avoid reverse engineering of an APK file?
Is it really impossible to protect Android apps from reverse engineering?
Protecting Your Android Applications is an article which describes necessary information about ProGuard.
Read FAQ to know more.
To protect database, use SQLCipher.
use HttpRequest apis to get the data instead of using browser intent.
In your case I don't see any perfect protection engineering. Any one with a primary reverse engineering knowledge can get the data from your code.
Related
So, I'm writing a password verification thingy, loading username and passwords from a database, but I can't figure out how to keep the database username and password out of the code.
String user = "username";//database username, not username to verify
String password = "password";//my password, not users password to check
String url = "jdbc:mysql://databaseurl:3306/table";
//i want this hidden somehow
I could load it from a file, but then people could just read the file.
Obviously I don't want people gaining access to the database and reading secret information. How should I go about doing this?
EDIT: What I'm asking, is, how can I secure MY database credentials. Other people should not have access to the database
You could, for instance, decompile the jar and read the above lines, and access my database using my credentials. (using a program such as jd-gui)
Use password encryption.
If you application runs inside J2EE container, use standart tools
Look at sample for Jboss container
If you're going to give the user direct access to the database, why not just make the username/password you're passing to the database the user's actual username/database?
Typically in secure systems the database is not directly exposed to the user. The user passes a query to some system which then performs authentication and then if passes passes the query to the database.
In other words, if you're relying on the obscuring of the database login credentials as the obstruction to accessing the database, you're relying on the client to authenticate itself with respect to actually querying the database, which is a bad, bad idea. As soon as your database's login credentials are compromised, your whole security scheme has now failed.
You can keep database details in a
property file/database
. It is a kind of one layer of abstraction. And in that property file/database, you give some different keys so that at the time of accessing database, take the keys/columns from property file/database and construct url information.
Secure your authentication and authorization services using a PKI exchange with a properly signed certificate (so it can be revoked if something does go wrong, and it certainly may).
One example is ws-security (a SOAP extension), but if you need to use REST you're stuck with transport-level security (securing your connection with HTTPS).
You might want to read up at http://security.stackexchange.com for more insightful commentary, rather than "store it in a property file."
I'm looking for a way to open a JDBC connection without specifying my database login and password in plain text, as the application will be distributed and any Java decompiler would reveal them, allowing the users to access the database easily.
Is there any way to encrypt them, or store them somewhere else?
Looks like you want to let Android application talk to your database directly? Don't do that. It's a major security flaw. No matter how you encrypt your credential, you have to reveal your plain text somewhere during the execution of the program, and anyone with a debugger can see that. The correct way is to have use an API on your web service and call that API from client. All database transaction should happen in a trusted intranet.
Why would you want to do this? Generally the business side of your application would have this info and connect to MySQL. There, a user does not have access to any code. Then you create an endpoint that actually is accessible to the public. There you can worry about passing username and password stuff to the business logic, which again, actually has direct access to your database.
Basically, do not open a jdbc connection anywhere but your server side. Its a security measure.
I've recently gone into a serious security problem in my Java app. The client application simply works on a FTP and MySQL server, and access information to both of them are stored directly in code. I'm aware that it's an awfull idea and I'm planning to move that informations to a preferences file. But how can it help to raise a security level on my app? Is there any way to properly secure such file? Or should I look for a different solution?
Keep passwords in a keystore (example: http://kingsfleet.blogspot.com/2008/12/storing-password-somewhere-safe.html). Keystore has to be protected with a password, so in order to use client application user needs to give keystore password - I am not sure if this is acceptable in your case.
I am a newbie for this security purpose and php files
I came to know about htaccess when i saw my files and databases are not secure.
I am filling listview in Android application from JsonArray parsing.This JsonArray is coming from Server when a specific URL is clicked on android application
There is a php file on server and there i have echoed the result .
Now the problem is with the data access .When I use that url on PC from browser ,It prints all the data on the browser.
NOw how can I give access to only those user who are using my android application.
I have heard of htaccess file but dont know how to use it and write it
Or is there any other way to secure or get rid of direct accessing from browser
You can use htaccess file but I think there better way.
.htaccess file is fine-tuning ruleset for Apache server. It can reprogram request completely. I use it normally with Static files.
But in your case dynamic php page. Which means you can pass a security session key.
When people login to your app they create session key. SSID This will be alive for some limited amount of time. like 1 hour. And every request required it.
No correct SSID means no data.
I have a plain Java application which is supposed to connect to the database. I don't want to store database connection url and username/password in a properties file or hardcode it in application. What is a common way to solve this problem? How a Java application can connect to database without revealing username/password?
I'm a .NET dev, but I've run into the exact same situation.
Last year I was working at a company that had to be PCI compliant to store credit card data, so security was a big deal. The URL/login data has to exist somewhere. The most common method I've seen for securing it is with encryption. I don't know about Java in particular, but .NET has several encryption namespaces in the core Framework. We used these to encrypt the database logins.
You still have a potential security vulnerability, which are the encryption keys used to encrypt/decrypt the data. We used the PCI "compensating controls" method here. Access to the keys is restricted to "key management" role. We also tracked access of the key itself so that there was a record of all user-initiated and system-initiated access. No one user had access to these logs, so there could be no covering of tracks by a single user. These overlapping security methods essentially create a situation where nothing less than a coordiated conspiracy between multiple administrators is required to put the data in jeopardy.
If you aren't willing to store it, you have to prompt for it. You could encrypt the password, but then you have to have a key to decrypt it and you are stuck in the same problem.
One of the common solutions to this problem for server based applications is to store the username and password in a file that has user permissions set in such a way that only the executing user of the application/service can read its contents.
For example, you run your application as user foo-service and it inherits all of the access privileges of the foo-service user. The file containing the username and password is only readable by that user. You read the value from the file and connect to the database as normal.
Possible problems with this approach:
The superuser of this machine may be able to get the password to the database.
An attacker who has penetrated your application security can get access to the database credentials.
The above problems are normally mitigated by tuning the access privileges for the application to the database and the network. Nearly any other solution you come up will get you into a chicken-and-egg problem because you are basically trying to hide something from itself.
The best way would be to store the information as a configured data source in the JNDI context of your application server. You can then use the facilities of the application server to configure data sources at deployment time. All the application has to do is look up the appropriate JNDI name at runtime and use that. This is a common pattern for Java web applications.
Use web services to separate your application from the server doing the database access. Sign your web application and then only allow a properly signed application to call the web services server.
You can try to load a file using system properties.
-Dapplication.configuration=application.properties.
When the property file is not passed then the you should use default file with default config.
When the file exists you override the defaults with the values provided from configuration.
java -Dlog4j.configuration=file:/log4j.properties -Dapplication.configuration=file:/live-conf.conf -jar app.jar "applicationarg1" "applicationarg1"
More sources to follow:
https://docs.oracle.com/javase/tutorial/essential/environment/properties.html
How to override system properties:
-Dproperty=value
Set a system property value. If value is a string that contains spaces, you must enclose the string in double quotes:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/java.html