0

I've made a simple mailing app that takes in email credentials and uses it to send emails of certain kinds to selected addresses. Problem is, I've had to input the credentials right into the code, so anyone who uses dex2jar can get the source code and get the email used for forwarding and easily make the app obsolete.

I imagine I'm not the only one facing this issue, so what are some ways to make my code secure?

MilesWeirdo
  • 11
  • 3
  • Related: http://stackoverflow.com/questions/8611960/piracy-piracy-piracy-what-can-i-do – Morrison Chang Dec 19 '16 at 17:27
  • I'm not particularly concerned about piracy, as I said the app alone is simple. I only wish to hide one line of code, maybe there's a simpler way to do that? – MilesWeirdo Dec 19 '16 at 17:31
  • 1
    Assuming a typical computer/OS, it inherently can't be done. In order for the JVM to do something, it needs to be able to know what to do. That means you need have those instructions written out in a form that the JVM can read. Unless you're doing something like putting out custom hardware with a decryption key, the JVM/OS/etc won't have any information that a hacker won't also have access to. And that means there's no way to hide something from a hacker, yet have it available to the JVM. – yshavit Dec 19 '16 at 17:34
  • Do not send email from the app. Send email from a Web service that your app talks to. – CommonsWare Dec 19 '16 at 17:42
  • I made my app originally in that fashion, but the whole thing is supposed to be anonymous, that's why I need my own email credentials. – MilesWeirdo Dec 19 '16 at 17:49

2 Answers2

1

No matter how good of a technique you use to hide the credentials, if it's in the code then it can always be found.

Instead of hard coding them in, you could perhaps let the user specify them when he starts the app? If that can't be avoided you could instead have a remote service that will do the sending and forward your request to that.

ᴘᴀɴᴀʏɪᴏᴛɪs
  • 7,169
  • 9
  • 50
  • 81
  • Problem is, the whole logic of the app is that it's only supposed to take the input and send it to an email, using a forwarding email that I specify and a recipient's email to receive those emails. – MilesWeirdo Dec 19 '16 at 17:38
  • The only solution is to *avoid* storing these details on the client side ie. on the app that you distribute. You could instead have a remote service that will do the sending and forward your request to that – ᴘᴀɴᴀʏɪᴏᴛɪs Dec 19 '16 at 17:43
0

You can not both connect to an e-mail account and keep those same users out of said e-mail account. Consider using a hosted server as part of the project to securely connect to the e-mail account from the server level and process these e-mails remotely.

pizzaslice
  • 478
  • 2
  • 8