-4

I would like to know if Java code is decompilable? Because I am doing an app for Android and i'm wondering if using the mysql connector is safe or not?

Talking about the java code into an android application.

Thanks for your answers.

Kangoo13
  • 331
  • 1
  • 10
  • 5
    How are the two related? Seems you intend to hardcode something sensitive on the client side. – peter.petrov May 13 '14 at 22:54
  • I'm not asking how to decompile, i'm asking if the mysql connector for android application is safe or not due to java decompile thing. – Kangoo13 May 13 '14 at 22:56
  • Is it that your database password will be in the app? – David Conrad May 13 '14 at 22:56
  • Your code will be "safe" if you code it to be safe. This has nothing to do with it being decompilable or not. – Hovercraft Full Of Eels May 13 '14 at 22:57
  • Yes David it will be. How to do without ? – Kangoo13 May 13 '14 at 22:57
  • 1
    Most people advise against storing sensitive information in the client, such as Database username/password. You don't need to decompile an entire application to find specific strings of text. – noahnu May 13 '14 at 22:57
  • what do you mean by being safe? run correctly or what? – mmohab May 13 '14 at 22:58
  • @Kangoo13 Generaly you have an application server that the android app talks to, and authenticates against using the users credentials (or anonymously) and that application server does all the database communication securely. There should never really be a need to store application wide credentials on your app. – Alex.Ritna May 13 '14 at 22:58
  • The specification for the byte code (instruction set) is publicly available, so anyone who has the byte code can figure out what a program does. Is that what you're asking? – ajb May 13 '14 at 22:59
  • Thanks for the answer everyone. So i must not store the password of my db into the java code :) – Kangoo13 May 13 '14 at 23:01

1 Answers1

5

Your question is a nice example of the XY problem. It seems that you intend to, actually, have an android app use a database. Decompilation is the least of your worries. A user can use a packet sniffer to also get your authentication details in some cases. A simple strings foo.apk search can come up with the DB authentication details. Someone could hit your DB server from outside irrespective of your app;

A more viable solution would be to set up a web server that can handle untrusted requests and forward them to the database after filtering them. Then, you no longer have the risk of people stealing your DB credentials from the APK or device, since they no longer live there.

Community
  • 1
  • 1
nanofarad
  • 40,330
  • 4
  • 86
  • 117