java String compile

Question

I am writing an application which load files using FTP. The code looks like this:

String username = "username";
String password = "password";

But after compiling I can see those in .class files. Compiled code looks like this:

\00username\00password

So the problem is that i can see the password and login in compiled code. I think that is not good. How can I make java compile strings in bytecode too?

First of all I do not think hardcoding your user and password is a good idea. — Jagger, Jan 16 '13 at 22:39
This is just a showcase. Of cource in real program values are different. But this thing doesn`t change the problem. — timofeiMih, Jan 16 '13 at 22:41
The user and password should be rather read from an external source, for example a file to which only certain users have rights including the one that your Java program is executed with. — Jagger, Jan 16 '13 at 22:42
I don`t know how to apply rights only for java program to read some file. Can you give some link to that information? I think that is easier to give some byte code to "ftp.login()" — timofeiMih, Jan 16 '13 at 22:48
You do not apply the rights for a program, you apply them for a user of the operating system. Such file systems like EXT2, EXT3, NTFS, RaiserFS have all the features to do so. — Jagger, Jan 16 '13 at 22:50
But if that program is for everyone. How then i can implement that? — timofeiMih, Jan 16 '13 at 22:56
If the program is, as you are saying, for everyone, then what is the difference between the fact that they know the user and password to this FTP server and the fact that they can run your program. Either way, everybody will have the access. Maybe you simply need to use the standard "anonymous" user provided by almost all FTP server implementations? — Jagger, Jan 16 '13 at 22:59
Hmm. I can`t grand them access. But i think there is no impletation to create a new ftp user for ftp using regular registration in site written in php. The problem is that i first go to "images" using ftp and then route the ftp path to another for example "images/user1". So i don`t want that everybody have access to "images" folder — timofeiMih, Jan 16 '13 at 23:09
Maybe hardcode a hash of the string in the file, and then check the hash? — Louis Wasserman, Jan 16 '13 at 23:50
@timofeiMih: Are you writing an FTP client or an FTP server here? — Tom Anderson, Jan 17 '13 at 11:50

score 5 · Answer 1 · answered Jan 16 '13 at 22:47

5

There is no such thing as compiling a String literal to "bytecode." There is a byte representation of a String, however, as you noticed, most text viewers will translate this byte representation to its normal ascii/unicode representation. Either way, storing even an obfuscated username/password is a security hazard, and should never be done.

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

answered Jan 16 '13 at 22:47

Alex DiCarlo

4,851
18
34

Where that file must be placed? I think its not that hard to change permission of any file of program. So that made another problem – timofeiMih Jan 16 '13 at 22:50
Without knowing the specifics of what you're trying to do it's hard to say. For example, if you're writing a web server, you would store hashed versions of the credentials (which cannot be reversed), and then the client would send a hashed version of their password upon login to compare to the hashed version stored in the file. – Alex DiCarlo Jan 16 '13 at 22:52
1

You can't change permissions on a file unless you have permission! – jahroy Jan 16 '13 at 22:52
I know how to do it in php. But for ftp access it can`t be done. Because I can`t use salt for example. – timofeiMih Jan 16 '13 at 22:57
I can change permission of whatever file in system using "sudo" – timofeiMih Jan 16 '13 at 22:58
@timofeiMih: The usual way to do this is to create a user for the service, then to put secrets in a file owned by that user and only readable to that user, and then to run the application as that user. The only way to read that file is as that user (or root), which means a prospective attacker has to be able to have the password for that user (or root). – Tom Anderson Jan 16 '13 at 22:58
@timofeiMih: There is no way to hide anything from someone with unrestricted sudo power. If you obfuscated it and put it in bytecode, they could just capture the packets going over the network and look at those, or look directly at the process's memory. – Tom Anderson Jan 16 '13 at 22:59
@dicarlo2 In details. I have a program that will store images in my ftp server. I need to give access to everybody who pass validation to load images to my ftp server. But my password can be viewed in compiled source and this is a big problem of defence. – timofeiMih Jan 16 '13 at 23:00
@Tom Anderson, then how i need to implement ftp server login? – timofeiMih Jan 16 '13 at 23:01
1

@timofeiMih What you need to do in your program is to prompt from the user and password instead of hardcoding it, so in fact a standard FTP client. Logical conclusion: you do not need the program you are writing. – Jagger Jan 16 '13 at 23:03
@timofeiMih - Only users with sudo privileges can use sudo. **Obviously** you should be very careful about which users have such privileges. If somebody can already use sudo, they can do whatever they want to your system anyways... – jahroy Jan 16 '13 at 23:10
@Jagger The point of program. Not to login in ftp. The point is to give access to load files. – timofeiMih Jan 16 '13 at 23:10
1

@timofeiMih And once again, an _anonymous_ FTP user which is a standard. – Jagger Jan 16 '13 at 23:12
2

Okay. I understand that i need to look for some another solution... Thanks for helping. – timofeiMih Jan 16 '13 at 23:12
hmm @Jagger. Then can I ask you something? Can I do an anonymous FTP, but with rights for not deleting everything? They can see, download, but can`t delete. Is that possible somehow? – timofeiMih Jan 16 '13 at 23:15
Of course, this is the whole idea of providing such user. Usually the default configuration for it is just browsing and downloading, without any possibility to do harm in your FTP directory and file structure. You just have to check what FTP server you are working with and then google for some documentation about it to check the defaults for *anonymous* user. – Jagger Jan 16 '13 at 23:18

score 2 · Answer 2 · answered Jan 16 '13 at 23:03

Dicarlo2 said:

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

That is still better than hardcoding it in the Java code, but you may need to know that Strings are interned in a String pool which can be a security problem too.

This is why the Console.readPassword returns a char array instead of a String. http://docs.oracle.com/javase/tutorial/essential/io/cl.html

Second, readPassword returns a character array, not a String, so the password can be overwritten, removing it from memory as soon as it is no longer needed.

But in real applications the passwords are often used as Strings

They seems the same in compiled source. So this doesn`t help with problem — timofeiMih, Jan 16 '13 at 23:05
I didnd't mean you should hardcode the password as a char array, but you should use an external source and a char array for maximum security. — Sebastien Lorber, Jan 16 '13 at 23:09

score 1 · Answer 3 · answered Jan 16 '13 at 22:49

1

You will need to store your password as an encrypted value. Every access to a password protected instance will use the encrypted password, along with a decrypting algorithm and the key of course. Then you will not have the password in the compiled file. Very bad to have this.

answered Jan 16 '13 at 22:49

Rostam

81
1
9

Is there some implimitation of something similar to this? I know that it is not good to write decryptor by myself. – timofeiMih Jan 16 '13 at 22:54

score 0 · Answer 4 · edited May 23 '17 at 12:27

0

Don't hardcode passwords unless they are encrypted or the like.

If you want to prompt the user for a password on the command line, you can use this method posted on SO. For a Swing GUI, use a JPasswordField.

Hope this helps!!

edited May 23 '17 at 12:27

Community

1
1

answered Jan 16 '13 at 22:50

ameed

1,132
6
25

nope. I need to provide a ftp access to anybody. Even ecrypting will not work. Because this will be seen too. – timofeiMih Jan 16 '13 at 22:53
If you are providing access to everyone, then why does the service have a password? If anyone can access the service, then what's the point of hiding the password? If you do need to restrict access, you might give people who need access the credentials. – ameed Jan 16 '13 at 22:59
I need a password because they store files in their folders. But the ftp gives access to "images" folder. I can`t make accounts for every user that registrates on my website. For example. The user named "user1" store his file in images/user1 – timofeiMih Jan 16 '13 at 23:03
Why not just use their credentials on your site? If _user1_ has password _pass1_, you could just have them use these credentials. If someone needs universal access, you could make an admin account with many permissions. – ameed Jan 16 '13 at 23:14
Yes. I get the point. But i can`t make ftp accounts by registration on website. – timofeiMih Jan 16 '13 at 23:15
You could use PHP or similar to add accounts to your FTP server's config file. Without knowing which server it is, I can't specifically assist you, but Google should give you some pointers; just look at your server's documentation and write a server-side script to make the necessary entries in the config files when a user registers. – ameed Jan 17 '13 at 00:13

java String compile

4 Answers4