Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Obfuscate Strings

Tags:

java

credentials

obfuscation

we use some Networkcredentials in out App. I just decompiled the app and was able to see the Credentials like Name and Password. I do not really get how to prevent this. I think the word "obfuscator" is the direction which I have to go. We test proguard but it does not have string encryption or am I wrong?

Is there an easy and free way to do this?

Thank you.

like image 403
Benjamin Wolf Avatar asked Jan 19 '15 11:01

Benjamin Wolf

People also ask

How do you obfuscate strings in C++?

The simple approach is to do this: std::string myKey = "mysupersupersecretpasswordthatyouwillneverguess"; However, running the application through the strings process (or any other that extracts strings from a binary app) will reveal the above string. What techniques should be used to obscure such sensitive data?

What is an obfuscate?

Definition of obfuscate : to be evasive, unclear, or confusing The suspect often obfuscated during the interrogation.

What does obfuscate mean coding?

Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets, and to prevent an attacker from reverse engineering a proprietary software program. Encrypting some or all of a program's code is one obfuscation method.

What is obfuscation in Java?

Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Almost all code can be reverse-engineered with enough skill, time and effort.

1 Answers

Sorry, but this simply does't work no matter what you'll try. If you obfuscate / encrypt the credentials, the program still must be able to decrypt them at run-time. Therefore, the encryption keys must also be in the generated bytecode somewhere and therefore it's possible to take them, and decrypt the credentials manually outside the program (or just step through the program and read the credentials once they're decrypted).

What you're trying to do is Security by Obscurity and it doesn't work.

Whatever you do, if the program can obtain the credentials at run-time without any external help, a skilled attacker can do the same given enough time.

What you should do:

  1. Store the credentials in plain-text in a property file. Don't bother with encryption, it's pointless. You must make sure the db user you're using is read-only or add-only or something similar so you prevent any damage.
  2. Let the user input the password. If it's not stored in the bytecode, it's safe. He could e.g. input his password and have an account in the db...
  3. Use a safe and known authentication mechanism. Plaintext login+password is not that.
  4. Don't let your application go anywhere near a DB. Set up a service somewhere, with an API, which would hold the read DB conenction. Your application could connect to that and get data via this API. This way, an attacker can't directly access your DB. He could call anything in the new service, though, so you must make sure there's no sensitive data accessible in there.
like image 162
Petr Janeček Avatar answered Sep 20 '22 10:09

Petr Janeček
Sign in to Comment

Related questions

JBoss wildfly 8.x Provider "vfs" not installed when using java nio Paths
RecylerView not animating insert, however it does animate removal
When is injected bean actually initialized?
Does Intellij IDEA support debugging a project built with ant?
Searching multiple strings in all fields in Elasticsearch using Java API
Which Java Date format is this "YYYY-MM-DD 00:00:00+00:00"?
Java substring endindex-1
Jersey/JAX-RS resource method input bean validation
How to make the static method thread safe in JAVA?
Spinner subitem
Is there a Java Stream method equivalent to Scala's collections "collect"?
Allocate Big file
Java - Make inner classes be able to modify outer class
Restrict types in Java for use in a List
Lombok issues with Java 8
Spring Boot default properties encoding change?
How can I re-throw an exception in a lambda block as from the outer block?
javac: invalid flag: activation-1.1.jar
pyjnius "Class not found" when importing jar file
How to use KeyEvent in JavaFX project?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!