1

Let's say I'm writing a Java application that connects to a database to authenticate a user before allowing the application to run. I need to store the URL of the database, the username, password, and database name. Obviously, anyone could decompile the application and see the information and use it against me. Even obfuscation wouldn't work. How could I safely hardcode personal information into a Java program?

NOTE: This is a hypothetical, so please don't tell me anything specific to database info storage.

Jk1
  • 11,233
  • 9
  • 54
  • 64
nrubin29
  • 1,522
  • 5
  • 25
  • 53
  • You need to use a web service. Never give users direct access to a database. – SLaks Oct 21 '13 at 14:54
  • Like I said, this is a hypothetical. Let's assume that I need to store data inside the application and can't use a PHP script for auth. – nrubin29 Oct 21 '13 at 14:56
  • Everything can be hacked if they want to. If it were an easy way there wouldn't be cracks for lot of programs. – Alfredo Osorio Oct 21 '13 at 14:56
  • I know anything can be hacked, but in Java anyone with a copy of JD-GUI could see my secret info. – nrubin29 Oct 21 '13 at 14:57
  • @PogoStick29 the only thing you can do is to make it harder to obtain the sensitive data. As you said the JAR/classes can be decompiled. – Alfredo Osorio Oct 21 '13 at 14:59
  • 2
    You can't make it safe. Whatever you give to a user as jar, exe, ... must be assumed to be insecure. – zapl Oct 21 '13 at 14:59
  • You could give each user a unique DB login and set access control in the DB. – SLaks Oct 21 '13 at 16:31

3 Answers3

1

You can't. It is impossible to totally hide informations you give, since you need to use it and thus, to find it.

If you really don't want to give an access-limited username and password, then don't use remote database connection. Instead, you could send the user entered login and password to a server application, that would read query your database.

Vianney Dupoy de Guitard
  • 2,254
  • 1
  • 14
  • 10
  • Is it possible to hide the information at all? The only way I know how to store this information is in `Strings` which would be easily visible. Is there a way to encrypt hardcoded information, or at least hide it somehow? – nrubin29 Oct 21 '13 at 15:29
  • No, you cannot store this information securely on the client, because the client will necessarily have everything required to decrypt it. At best, you can obfuscate it, but there are tools which can reverse the process easily. Listen to this man's answer. He is right. – Mike Strobel Oct 28 '13 at 20:05
0

How about using a public key to encrypt the login data and saving it to your java program A, which is shared with other people. A transmits the encrypted data to program B (B is kept private on a secure server); B uses your private key to decrypt the information and autentificates program A to connect to the DB.

Xylol
  • 193
  • 2
  • 14
  • Problem here: Evil people can still modify A and use the unaltered encrypted secret to gain access to the db. They may not gain plain text passwords but they do gain access. The encrypted secret is roughly equivalent to plain text passwords now. – zapl Oct 21 '13 at 15:13
0

I think a good way is to split application presentation and logic. Application presents only data, that are retrieved using public exposed functions as may be web services or API, or whatever logic you want which is following a Façade_pattern (service facade or session facade).

This can be easily obtained by using for example RMI or EJB. In the logic part you connect to database/xml on disk/your phone/whatever, but this will be done on a machine which is not reachable from outside, if not for remote calls.

Between your client(presentation which can be a java program, a web site, a phone application) and the logic(which is on your server) there may be a firewall or what ever protection you want. By the way on server side you can encrypt data in your EJB(which accesses the database), but it won't be shown externally.

I mean that's the good part of not knowing how things are implemented, the client doesn't know what the remote methods is doing, it just takes data back and that's all.

I think that expanding a bit this concept it may work, this is just a rough idea.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
LMG
  • 966
  • 1
  • 12
  • 28