I need to hide the password in the source, what are the possible methods to obfuscate the password in order to reduce the risk of decompilation?
e.g.
final String password = "secret";
Asked
Active
Viewed 1.6k times
2
-
4Why is the password hard coded in the source? Is there no way of externalising it? – Lloyd Aug 30 '12 at 09:39
-
1@Lloyd This is the chicken and egg problem, if you externalizing it, maybe store in an encrypted config file, you still need a key to decrypt it? – Howard Aug 30 '12 at 09:43
-
An important concern is what kind of application is it, specifically how will it be deployed? Desktop? Mobile? Web? – Goran Jovic Aug 30 '12 at 09:45
-
1You can make the password file only readable by the user account which runs the application (and you can encrypt it as well if you want) i.e. use file system security. – Peter Lawrey Aug 30 '12 at 09:46
-
Another important one is what are you trying to protect and from whom? The user, someone else, or anyone but you (i.e. admin)? – Goran Jovic Aug 30 '12 at 09:48
-
@Howard I was thinking more along the lines of PKCS. – Lloyd Aug 30 '12 at 11:28
4 Answers
17
Don't bother.
Your average user won't be able or willing to decompile class files anyway, and a motivated and skilled attacker won't be held back by obfuscation when the target is a single piece of data. All it takes is one such motivated and skilled attacker and the whole world knows the password.
If your security depends on obfuscating a password, you have already lost.
Michael Borgwardt
- 342,105
- 78
- 482
- 720
3
First, I wouldn't name my variable password.
Second, I wouldn't keep it in raw format, but encode it.
Third, I'd use a char[] instead of String (because strings reside in the string pool).
Of course the best option would be to not keep it in the code at all.
Luchian Grigore
- 253,575
- 64
- 457
- 625
0
Encrypt the password using an external method, a method that can be used decrypt within your code and store the password (encrypted) on your code
MadProgrammer
- 343,457
- 22
- 230
- 366
