1

How does one securely store the password and username inside of an android app that connects to an FTP server? Can't anyone decompile an .apk and see its source in more or less an easy to read format?

I'm implementing the ability to upload photos in an app I'm working on and they are then sent to an FTP server in the background. Below is how most examples show how to do it. I don't think there's much of a way around this.

String username = "Austin"; //Example Username
String password = "123456"; //Example Password
//FTP Client init after this and then connect.
Austin K.
  • 77
  • 6

1 Answers1

0

The basic problem with ftp is that it transmits the password in plain text, so even if you didn't save it plain within your app, it can be read with a simple package sniffing tool.

Besides that, the generated bytecode will contain the strings if you do not transform them. An easy way to do this is to create the Base64 representation: Base64 Java encode and decode a string

A sophisticated way would be to use a crypto lib like scrypt or bcrypt, but given the mentioned security flaw within ftp itself that would be like using a sledgehammer to crack a nut: https://github.com/wg/scrypt

Community
  • 1
  • 1
Thomas Raffelsieper
  • 542
  • 3
  • 19
  • I didn't even know it was sent in plain text. Thanks. Would you not recommend using FTP in an app then? – Austin K. May 18 '16 at 13:50
  • Well, it depends on what is being sent to the server. If it contains no private information and could be found anywhere on the internet, you could use ftp for sure. – Thomas Raffelsieper May 18 '16 at 13:59