3

Similarly to browsers, my application needs to save locally some password to save user the pain entering it every time. So it happens that it's likely scam applications might put an effort to retrieve this password from my program's configuration files.

I seek a way to avoid it - ideally by commanding OS to only provide my password to my program and no other. As I think about this, it seems like impossible task. Whatever my application can access, any other application can access too.

On Android, there's a security model that allows your application to truly only save data for itself (unless the phone is rooted and malicious program runs under root privilegies).

Any chance this was implemented in Java? Or on Windows where my program is targeted? Again, with the exception of admin account, which can do anything.

Edit: While there's another question about very similar topic, the answer to this question doesn't really explain anything. I hoped for specific Java class names and an example. Especially now, when I failed to use keystore suggested in the answer to the other question.

Tomáš Zato
  • 50,171
  • 52
  • 268
  • 778
  • 3
    possible duplicate of [What is the best practice for securely storing passwords in Java](http://stackoverflow.com/questions/7017688/what-is-the-best-practice-for-securely-storing-passwords-in-java) – developer Mar 18 '15 at 07:17
  • @developer wow. I really searched pretty long, but the other question is exact duplicate. Sorry and thanks. – Tomáš Zato Mar 18 '15 at 07:27
  • write in property file as encrypted password. – Prashant Mar 18 '15 at 07:28
  • But the scam application can know the encryption key (because it's saved in my program file) – Tomáš Zato Mar 18 '15 at 07:32
  • I tried to hack some android game by editing game configuration files. I opened them with text editor and initialized as I wish. But after restarted the game , I lose all of my game's level and start from beginning :( . These files are **binary files** and I think there has some file changed listeners. – Cataclysm Mar 18 '15 at 07:37
  • @Cataclysm Android doesn't enforce the security I talked about. There are several modes for writing settings - and one of them only allows access to your program. And again, remember that root can do anything. – Tomáš Zato Mar 18 '15 at 07:40

1 Answers1

2

You can use the java-keyring library.

// Password can be stored to key store by using Keyring.setPassword method.
// PasswordSaveException is thrown when some error happened while saving password.
// LockException is thrown when keyring backend failed to lock key store file.
        try {
            keyring.setPassword("My service name", "My account name", "My password");
        } catch (LockException ex) {
            Logger.getLogger(Program.class.getName()).log(Level.SEVERE, null, ex);
            return;
        } catch (PasswordSaveException ex) {
            Logger.getLogger(Program.class.getName()).log(Level.SEVERE, null, ex);
            return;
        }

You could also probably use the keyring api from Netbeans.

Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240