Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you keep people from seeing string literals in compiled class files?

When you compile a .java file into a .class file, if you had a line like

String s = "This is a String"

If you open up the .class file in a text editor, you will see

This is a String

Somewhere in the file amidst the gobblety gook.

Which is fine and dandy for most stuff, but not when dealing with sensitive information like API keys.

Of course, one alternative is to read the API key in from another file, but that just makes it EASIER to find the key, as now the person can just open "key.txt" when they open the .jar file.

So how do you encrypt a string literal in your .class file?

like image 757
CSDragon Avatar asked Apr 16 '15 10:04

CSDragon


2 Answers

When you send code to a 3rd party, you loose all control over it. Even if you where to embed the API key as an encrypted string, an attacker could still try, and potentially succeed in breaking it, which would make all your encryption/decryption efforts in vain.

The best solution, in my opinion, would be to not provide any sensitive information within the application, but rather provide it with an ID of some sort. Any sensitive values which it needs would be then pulled through the use of a secure connection.

like image 198
npinti Avatar answered Nov 04 '22 16:11

npinti


If you use a key to access a 3rd party API there is no way to protect that key from the end-user IF you ship it with your code / application or you want your application to be able to access the 3rd party API without a middleman.

The end-user could just read all data send from your app to the end-point and know the API key. Regardless of any measures you took to encrypt it you will need to send it atleast once decrypted to the 3rd party.

The safe way to do this is to require your user to log in to a service provided by you, send a request to YOUR service and then YOUR service (which is presumably not located on the machine of your end-user) sends a request to the API with the key. So the end-user never knows of the key.

like image 42
Jonathan Avatar answered Nov 04 '22 15:11

Jonathan