How To Encrypt Resource Files? - java

Hi I have a game made in Java and Slick2d and I have a folder that contains all of my resources (images, sounds, etc) and I was wondering how to encrypt them so people can't edit them? I tried MD5 but I'm not really sure how it works and I'm not worried about people breaking into the code because I have spliced the jar into an exe file. Also if I need to know how to decrypt the files so that they can be used in the code please explain that too.

There is no way to protect the images/resources, all you can do is make it slightly harder. If you deliver your images/resources to the client then they can always decrypt them, after all the client has to display them unencrypted at some point in time.
Btw.: MD5 is a hash-algorithm, it is used to check if data is undamaged.

MD5 is a hash function which is irreversible and two input may produce the same output.
in case the content of the files is not 'secret' you can use MD5 for a verification process, this should be quite easy.
Create a hashtabe (or just a table) with the hashes of all the resources your application uses
Once the applet lanched create an hash for each of the files and compare it with your table, if its not the same, someone has changed the content of your jar file.
I'd recommend to keep the hash table within the code so it will be harder to modify

If you are using your resources, you have to decrypt them then the client can use them, because they are being used in the game.

Related

how to encrypt / decrypt files resources into Android?

I would like to encrypt my resources .XML files in the following path: res / raw / fiche.xml and res / raw / so fiche1.XML each time the program uses both files and must first decipher the two files at the end of execution, it re-encrypts both files.
my question: how encrypts and decrypts files that are in the resources and do you have an example (source code) or source code that explains the steps?.
This seems to be a popular question; Google finds a few stackoverflow responses that seem relevant.
I would advise you to not worry about it too much, and not to put anything sensitive into your apk. If you encrypt these files, you'll still have to ship your encryption key with them (so your application can decrypt them). Anyone with the capability/desire to extract your apk and retrieve these files will also be able to easily find and retrive your shipped key, and anyone without the capability/desire to do so will never look for these files in the first place.

Verifying file - security issue

I have a file which I'll call A.txt which I use it within java application. This file is shipped together with application, and I want to have a way to verify (within the application) that it is indeed my file, and not one which was for forged.
I have two ideas, but both are susceptible to some attacks:
I ship signature, A.txt and public key as a plain text with the application but if the attacker simply signs his own file, replaces the signature, A.txt and public key the verification will pass.
I hard code the public key into java app - apart from decompiling, if I send A.txt to person A and B.txt to person B and they exchange their txts they will both verify successfully, and I'd rather have person A verify just A.txt successfully.
How can I do this without any possibilities of being attacked? Or how can I implement my ways so that they are safe?
Hiding an encryption key within code can be very dangerous. Reinard had a good idea about the web service that can encrypt and decrypt the file.
Another option might be to hide the key inside the registry or somewhere in a hidden directory. You can also try building your own algorithm that can build up the decryption key.
But what about decompiling? This has always been a major pain for most developers. How do you properly hide secrets within code? You can try using application packagers or scramblers that can slow down the decompiling process. You can also get a java obfuscator like ProGaurd make your code harder to reverse engineer.
I really hope this helps.

Data encryption for files

In my application, users can upload any kind of files.
I would like to store them (or their data, byte[]) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
Edit
As ideal I would see an api which I can pass the file-data as byte[] which takes care of en/decryption. This way the java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
Edit 2
The comment from #Jared points to an article which kind of sovles my requirement:
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
The application runs under a system account so encrypt a folder for only that account.
Store the uploaded files in that encrypted folder.
Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.

How do you keep people from seeing string literals in compiled class files?

When you compile a .java file into a .class file, if you had a line like
String s = "This is a String"
If you open up the .class file in a text editor, you will see
This is a String
Somewhere in the file amidst the gobblety gook.
Which is fine and dandy for most stuff, but not when dealing with sensitive information like API keys.
Of course, one alternative is to read the API key in from another file, but that just makes it EASIER to find the key, as now the person can just open "key.txt" when they open the .jar file.
So how do you encrypt a string literal in your .class file?
When you send code to a 3rd party, you loose all control over it. Even if you where to embed the API key as an encrypted string, an attacker could still try, and potentially succeed in breaking it, which would make all your encryption/decryption efforts in vain.
The best solution, in my opinion, would be to not provide any sensitive information within the application, but rather provide it with an ID of some sort. Any sensitive values which it needs would be then pulled through the use of a secure connection.
If you use a key to access a 3rd party API there is no way to protect that key from the end-user IF you ship it with your code / application or you want your application to be able to access the 3rd party API without a middleman.
The end-user could just read all data send from your app to the end-point and know the API key. Regardless of any measures you took to encrypt it you will need to send it atleast once decrypted to the 3rd party.
The safe way to do this is to require your user to log in to a service provided by you, send a request to YOUR service and then YOUR service (which is presumably not located on the machine of your end-user) sends a request to the API with the key. So the end-user never knows of the key.
If you store the information in the class file, the decryption key should come from outside of the class. You can crypt the data, but if you have all the information within the class file, you are lost.
You should store API keys in config files. You have a different API keys for development and for the live, right?
Other possible solution is to use KeyStore, which allows you to store sensitive information in publicly accessible format. Only the holder of the secret key can decrypt the sensitive data.
Even if you keep that information encrypted in your class, a hacker can find the mechanism to decrypt that from your code only. So IMHO it's better to keep that encrypted information in some other file, and read that file. Also, restrict the access to that file using OS security mechanisms.

Encrypting a folder for an Android app?

The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.

Categories

Resources