This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
SQLite with encryption/password protection
My problem is that I am on a struts2 web application and I am creating a sqlite database file dynamically. I need to protect that file (when users download that sqlite file it needs a password to open it, like a password-protected PDF). Is there any other way to complete this task?
There is an encryption library (sqlite-crypt) available in C, but if you want to do it in Java, I would simply encrypt the file like any other file and supply a decryption tool with password for the user. See this example of file encryption/decryption in Java.
The best solution is to install SqlCipher or something similar, but that means that you must build and install a C extension to your Java environment.
If you decrypt the SQLite database on starting your app and then encrypt it on ending then it's "exposed" while you're actually using it (and if the app is terminated abnormally). With SqlCipher the data is always encrypted, even in the middle of an operation. The other alternative is to encrypt/decrypt individual "blobs" stored in the DB, but then you can't search on them, etc.
You can use Zip4j (http://www.lingala.net/zip4j/) to create a password protected zip file.
Related
If i include a properties file in my project that contains a database password, how do i stop someone from browsing the .jar file and accessing it.
Currently i have it hardcoded, but you can decompile and access it even with Obfuscation.
Is there a best method for handling sensitive data in app code?
Short answer: You can't
Longer answer:
Protecting a JAR file is not really possible if the attacker has access to the file system and hence the JAR file. You could encrypt the property file that contains the database password, but then you're facing the same issue again as to where store the encryption password.
In the end, having passwords stored in property files is not optimal for security. If possible, you should use a password safe with an API usable by your application. Cyberark or Vault (and many more that I don't know) are examples of such password safes.
This question already has answers here:
Handling passwords used for auth in source code
(7 answers)
Closed 7 years ago.
I have a question about passwords in source code. E.g. if you would like to connect to a FTP server you have to write the password in the source code in plain text.
Is this secure? Or is it possible to decompile the JAR file or in Android APK File to get these data in plain text? Is there a secure method to store the data?
The most secure way to do this, would be to have a "Middleman server" running on the same machine as the ftp.
The app contacts the server and says "Give me the files".
The server then logs on to the ftp and sends the files back to the app.
The app never knows the password, username or anything to the ftp. Only the ip address and how to get files from the server.
The server could then have some sort of protection to only take certain requests, or only from the app etc.
Java De-compiler can be easily found on Internet.
In case of apk, you can
Extract the APK on computer
generate .jar file using tools like dex2jar convertor
get source code back using java decompiler.
But i have also find some app which can't be decompiled to source code in this way, and i don't know how they have achieved this.
If you have to contain the password in the source code, it's more secure to obfuscate it in C and your Java code simply get it from JNI. Otherwise, follow the suggestion by René Jensen.
This question already has answers here:
SQLite with encryption/password protection
(9 answers)
Closed 9 years ago.
My desktop Java app uses several read-only SQLite databases, which I would prefer people not be able to open up and look at. Normally, this might be accomplished through encryption, but I'm currently using the sqlite4java library, which does not support encryption and doesn't easily allow other SQLite encryption libraries (e.g. SEE) to be used.
What I'm trying to do is make it as difficult as possible for a "casual hacker" to just find one of these database files and open them up. For instance, someone threw out the idea of sticking them in a password-protected ZIP file, then using a library like the ones suggested here to decrypt it on the fly as either an InputStream or a temporary file.
Would this be something that is worth doing?
EDIT: I realize that this isn't going to be perfectly secure, and a hacker dedicated enough might be able to still find a key and decrypt it (this seems like a vulnerability with any such programs).
"What I'm trying to do is make it as difficult as possible."
You are probably just making it as difficult as possible for yourself.
Regular users don't open application binaries. People that open application binaries have tools to find your encryption key.
If you want to engage in security through obscurity, just name the database file "commons-io-3.2.1.jar" instead of "mydb.sqlite3". No trouble for you, still throws off the "casual hacker".
Instead of password protecting your SQLite DB, you can choose not to ship it with the application APK, rather download the content on first run, so that you don't have to encrypt and decrypt and your APK is lighter.
Also remember, your DB can still be hacked by intense hacker.
This question already has answers here:
Handling passwords used for auth in source code
(7 answers)
Closed 7 years ago.
I've been working on a Java project for a while now, and before I make it available for public download, I'd like to add in a feature which requires me to connect to a MySQL database. My question is simple: How would I go about hiding the password to the database if the code is open-source?
Store the database connection settings separate from your code.
You can put the password in some sort of configuration file like an ini file. During the setup/installation stage, get the password from the user and populate it in the configuration file either by code, or allow them to do it manually.
As far as I know, there is no correct answer. You can try really hard to obfuscate or hide it, but if the password or a method of calculating it is in your JAR, a persistent and skilled user will find it.
There is a much better answer than I could give here:
How can I protect MySQL username and password from decompiling?
Till now, i have been creating a file (txt/excel) using buffered Writer for creating a text file and JExcel API for creating a Excel file. These files i have been creating using Java only.
Now i want to make the file password protected in both the cases, that to something like, the file can be accessed by number of people, but only selected may access it using there own login ids/password.
Is it possible to do so?..
Thanks
The answer completely depends on what way you want to open your protected files.
If it is opened by your (java) program or an application, then you can simply simply encrypt it with a password upon saving, and decrypt it with something the user provides,
and use some checksum or header to see if the result is valid - or some garbage due to bad password,
some crypto APIs will do it for you right out of the box.
Second option - if you meant encrypting files with a program (like a notepad file, or something), and you expect windows or notepad to ask you for the password, then it depends on the format of the file you use. Some can be password protected, some can not -like text files usually associated with notepad). In this case password protection works as described in the format's own documentation, and you have to research a bit, I guess it will be too much work
we can do password protection of zip files with the core Java API.
Yes, it is possible to do that, you would have to write your own encryption and decryption tool or write a plugin for excel to do the decryption.
Usually the best approach is to use the security of the OS and specify which users can read or read/write the document. This is transparent to the user and doesn't require a encryption/decryption tool.
yes it is possible. You can use either AES or DES encryption. password is nothing but the key using which the file can be be encrypted or decrypted. you can create your own listener which will prompt you for password. If you enter the password then it will take the password and try to decrypt the file