0

I have a clojure app that will share with some people. And there are username password pre-defined in the clojure. If some guy get the app and decompile it, he might see the password. My only intention is to hidden the password/username. what's the simple way to do it. I created the jar file using

lein uberjar

and then send the standalone jar file as client code.

Daniel Wu
  • 5,853
  • 12
  • 42
  • 93
  • 5
    I would say that the same rules as in Java apply : http://stackoverflow.com/questions/12937641/handling-passwords-used-for-auth-in-source-code – nha Feb 29 '16 at 15:20
  • If your users are not supposed to know these credentials, I am going to assume they are for 3rd party calls and not for some kind of backdoor. If that's the case, you are following a very badly constructed security policy. What's stopping your users to snoop on the network? It would be better to give each user a unique token. Then you wouldn't have to worry about hiding it from them. (If my assumption is wrong, please edit the question to clarify.) – muhuk Feb 29 '16 at 15:31

2 Answers2

1

You cannot prevent decompilation, you can only obfuscate it. Depending on your security requirements, this may be adequate. Otherwise, you should really look at moving those sensitive username and password calls into an authenticated service that you control. If you update the question to give more info, we might be able to give more specific recomendations.

Daniel Compton
  • 13,878
  • 4
  • 40
  • 60
0

If you can't rely on an external service (no internet connection), you can store the hash of the password in a file of your uberjar.

; utility methods
(defn to-base64 [bytes]
  (String. (.encode (java.util.Base64/getEncoder) bytes)))

; function to encrypt string formatted password
(defn encrypt-password [string]
  (let [ sha (java.security.MessageDigest/getInstance "SHA")]
  (.update sha (.getBytes string))
  (to-base64
    (.digest sha))))

; call this one time, to store the secret in encrypted form
; this would be part of your jar file, but regular users cannot
; (probably) decrypt this.
(defn save-password [ secret-password ]
  (spit
    "secret"
    (encrypt-password secret-password)))

; use this to validate this
(defn validate-password [ input ]
  (.equalsIgnoreCase
    (String. (slurp "secret"))
    (String. (encrypt-password input))))

Finally, you can create and check passwords with the above methods:

(save-password "hello")
(validate-password "hello")
; true

(save-password "hellome!")
(validate-password "hello")
; false
Nicolas Modrzyk
  • 13,961
  • 2
  • 36
  • 40