I have a question about passwords in source code. E.g. if you would like to connect to a FTP server you have to write the password in the source code in plain text. Is this secure? Or is it possible to decompile the JAR file or in Android APK File to get these data in plain text? Is there a secure method to store the data?
Asked
Active
Viewed 1,464 times
2
-
1is it possible to decompile the JAR file or in Android APK File to get these data in plain text? YES :) – hellzone Oct 09 '13 at 11:27
-
Any one can get .dex file from .apk and from .dex to.jar.& there are decompilers for getting java from from .jar. so its not secure to store password in source code – yuva ツ Oct 09 '13 at 11:29
-
That is not good :( What can I do to avoid this? I know how to decompile a APK file. But as far as I know the strings are not visible in plain text. Or am I wrong? – JavaForAndroid Oct 09 '13 at 11:29
-
http://stackoverflow.com/questions/4427238/hiding-strings-in-obfuscated-code – alistair Oct 09 '13 at 11:30
-
Not storing any sensitive information in your source code perhaps? – Viezevingertjes Oct 09 '13 at 11:30
-
But how can I connect to a FTP server without doing so? – JavaForAndroid Oct 09 '13 at 11:31
-
Proguard performs some sort of source code obfuscation, but I believe it won't mess with any final String values. So, it will be possible to extract a password stored as a constant from even a production .apk. – Naeem A. Malik Oct 09 '13 at 11:33
-
Well than I should do the whole work with a php script. Because there are too many dangers. One possibility might be obscuring the data and sending it via SFTP. But there might be also sniffer. And it is not possible to avoid decompiling. In my opinion there is no way to build a secure FTP connection with a client. Thank you for your help. You preserved me from a big mistake. – JavaForAndroid Oct 09 '13 at 11:42
3 Answers
1
The most secure way to do this, would be to have a "Middleman server" running on the same machine as the ftp.
The app contacts the server and says "Give me the files". The server then logs on to the ftp and sends the files back to the app.
The app never knows the password, username or anything to the ftp. Only the ip address and how to get files from the server.
The server could then have some sort of protection to only take certain requests, or only from the app etc.
René Jensen
- 451
- 3
- 20
0
Java De-compiler can be easily found on Internet.
In case of apk, you can
- Extract the APK on computer
- generate
.jarfile using tools like dex2jar convertor - get source code back using java decompiler.
But i have also find some app which can't be decompiled to source code in this way, and i don't know how they have achieved this.
Bijaya Bidari
- 331
- 2
- 12
-
I guess that there would be still the danger of a sniffing tool. – JavaForAndroid Oct 09 '13 at 11:38
-
1Complete security is almost impossible but keep searching/learning and make it hard to crack your app. – Bijaya Bidari Oct 09 '13 at 11:43
-
That is why I will do everything on the server side. I guess that this is the most secure way. – JavaForAndroid Oct 09 '13 at 13:29
0
If you have to contain the password in the source code, it's more secure to obfuscate it in C and your Java code simply get it from JNI. Otherwise, follow the suggestion by René Jensen.
xizzhu
- 895
- 6
- 9