8

I have in my program (written in Java) a variable:

String myPassword

After compiling the code with Android Studio, I get an an android application and I would like to let other people to use it.

But I am scared: is it possible for the users to get the variable value (password) from the application?

Let's say that the password value is "myPass". Its binary is:

01101101 01111001 01010000 01100001 01110011 01110011

Will the application binary contain this sequence in it?

Nico
  • 12,493
  • 5
  • 42
  • 62
NewWorker
  • 81
  • 3
  • 4
    Yes, its possible, either by examining the compiled binary or by looking for it in memory at runtime. Don't store sensitive information in anything publicly accessible. – Alex K. Feb 21 '18 at 16:33
  • Thank you very much for your response @AlexK. So what should I do? – NewWorker Feb 21 '18 at 16:42
  • 3
    You can't distribute an application containing a password and keep the password secure. It's not possible. People can decompile your code; or they can just watch what the application is doing and wait for it to use the password. – khelwood Feb 21 '18 at 16:44
  • 1
    You need to think up an authentication scheme that does not involve hardcoding passwords in your application, E.g. [Android: Storing username and password?](https://stackoverflow.com/questions/1925486/android-storing-username-and-password) – Alex K. Feb 21 '18 at 16:46
  • 1
    Also useful info about passwords in Java: https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – excelsiorious Feb 21 '18 at 17:09

1 Answers1

2

If you decompile your classes with javap -c -p -constants for example you would see those Strings:

public class DeleteMe {

   private static final String test = "def";

   public static void main(String[] args) {
      String test = "abc";
   }
}

would yield(the important two lines):

private static final java.lang.String test = "def";
ldc           #2                  // String abc

Otherwise, storing passwords inside your app is really bad, usually people employ some sort of database where passwords are kept for example.

Also the must read about String and char[] for passwords.

Eugene
  • 117,005
  • 15
  • 201
  • 306
  • Thank you for your response. Let's say I want to connect to the database that contains the table that contains the password. I will have to connect to the database with credentials: Connection conn = DriverManager.getConnection("url", "user", "passwd"); So if I do that, are the "user" string and "passwd" string protected? – NewWorker Feb 21 '18 at 21:45
  • @NewWorker to be honest, I am not an android dev, so I have no idea what are the best practices for android, but I assume there are ways to asymmetrically encrypt passwords, like Android keystore (this is what google told me)... – Eugene Feb 22 '18 at 07:44