I have developed an android app that directly interacts with the MongoDB for insertion and fetching the data.
I have credentials stored inside a config file of android app that I read inside the app.
mongoDBConnection:
credentials:
username: "test"
password: "test"
database: "admin"
connectionString: "mongodb://localhost:27017"
The app works as expected when installed on a phone, the worry that I have is if I ship the app can anyone decompile the app and retrieve the credentials back?
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
I wanted to get inputs on before implementing the backend on whether a backend is required or is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
if I ship the app can anyone decompile the app and retrieve the credentials back?
Yes.
is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
No, this isn't possible. You can obfuscate them to make it harder, but it's impossible to prevent a sufficiently skilled/determined attacker from retrieving them if the app has them.
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
This is the only way to do this, and the correct solution.
if I ship the app can anyone decompile the app and retrieve the
credentials back?
Technically yes. But if you use proguard it will be really hard for someone to figure out your DB credentials. This can be your first line of defense
is there any way in android app itself to store the credentials such
that it does not get exposed when decompiled?
Yes. Use Keystore.
Follow this article
Related
I've just had an Android Firebase app penetration tested, and the tester found a file com.google.Firebase.auth.api.xml within Shared Preferences. It contained the access_token + refresh_token (which could be used to access the Firebase API).
Has anyone else experienced this vulnerability and know the best way to fix it?
(I can't work out or understand why this information is being stored locally, I've taken a look through the Firebase documentation and through my app and as far as I can tell everything is integrated properly. The app itself uses Firebase as the backend server which handles logins, authentication, Firestore and Storage)
Any help would be massively appreciated.
Got in touch with Firebase and this is the response for anyone interested:
"I understand your concern, as you have said the file is used to re-authenticate the user, however, those values are set after a successful login and the SDK updates that file each hour. The vulnerabilities that you may have noticed should be related to modifying information related to that specific user and the features or data the user has access to. Please remember that the Firebase security is not only on the Authentication product, they are more tools that enforce the security in a Firebase application, that is the reason why your Security Rules should avoid insecure rules and match with your business model."
I have a javafx app that i created and it makes calls to the mysql database. Unfortunately the database username and password is viewable if you view the jar files. Is there a way to have the javafx app connect to a PHP file on my web host server to manage these database calls and database connection so I do not need to store the creds client side? Or is there a better way to handle this server side? Maybe an API?
Uploaded picture of what I mean
The first thing you should determine is the data that you want to read/write using your java application. Only that data that it needs.
The second is why do you beware of revealing storage access credentials? Is it because of data that shouldn't be visible from the java application?
If an application has access to data hance the owner of the application has access to data. No other options here. The only thing you can do here is to restrict access for each application to its data. It means that each application should have its own credentials which give access to that application's data.
It doesn't matter if you use either MySQL direct connection or API. In both cases, you have some access credentials (DB login+password or API token) or don't have credentials at all but the last one means everyone will have access.
The company that I work for has some small android applications running that communicate with their ERP software lately they requested to authenticate users and have sessions for safety reasons
Instead of integrating the autheticate and session code into every app (6) I want to build an Android app that acts like a dashboard. The app will authenticate the user, create a session and show the available apps on the device that the user can access with their user role.
The problem is I need the know which app requires which user role
I don't want to store this information in the dashboard app sinds that will require me to update the dashboard app each time i create or change an app
I was thinking or using an Content provider but that seems to be a lot of work and redundant since it has to be integrated into every app that I have (6)
So my question, is there a way to get data from apps that can easily be implemented. The data isn't big (only one Integer)
thanks in advance.
I'm developing an android application and i have integrated Linkedin into my app for authentication by using this link
http://www.theappguruz.com/blog/android-linkedin-connectivity-code-sample/.
I want to know user's connections(friends/associates) in Linkedin who have installed my app i,e user's Linkedin connections who have downloaded my app.Is there any way to achieve this?
Thanks in advance for any help
I believe most of the time this task is done on the application side from scratch (It was called autodiscovery in our project).
So basically what you need is connection management for the User. Simplest possible solutions:
App based User connection management.
In this case you need to have some distributed Key-Value store available to your Android application (Some Redis host for example).
The simplest workflow in this case
Populate key-value - like linkedIn_ID -> your_application_id on LinkedIn API authorisation.
Find connected users for your Application, querying by connection LinkedIn_ID.
Server based User connection management
The same thing, but introducing separate API on your server.
In both cases, take in consideration new connections, that might appear after some time.
I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
Using OpenID is a great idea in fact. You can use the OpenID4Java library. As you can read here, someone has modified that project in order to make it Android compatible.
I know this is an old question but i found this while asking a newer question.
Just an idea but have you looked at the account manager? What version of android are you targeting?
The sample sync adapter example (http://developer.android.com/resources/samples/SampleSyncAdapter/index.html) uses the account manager (http://developer.android.com/reference/android/accounts/AccountManager.html)
It looks like a more secure way of using credentials on a native android client because you don't have to store the password at all locally in your app.