My java application stores data in a folder at user home directory.
How can i encrypt that folder but access the encrypted folder with an application?
I tried to encrypt the folder with java, (Java Cryptography Extension (JCE)), but cannot access this folder from within my application without decrypting it.
I need the user to have no access to this folder, only within my application.
Note: This is going to be a bit of an unorthodox answer, and might not be exactly what the OP is looking for.
One possible solution is to zip the files in your folder, and then encrypt the zip file.
Reading its contents will be slower of course, but is perfectly feasible with Java's NIO Zip File system provider. You will need to decrypt it back so that it is back to zip format.
https://docs.oracle.com/javase/8/docs/technotes/guides/io/fsp/zipfilesystemprovider.html
Not sure how frequently the files will change by the application, and how feasible it is to update the zip file and re-encrypt it for what is needed.
Related
I am making the setup of java swing application by using Inno Setup as an exe i am selecting the jar file of my project, I am also adding other necessary resources as folder.
When I am installing the setup on the client side. it is putting the jar and other
resources in program files folder but there client can extract the my java classes
and other resources from jar. I want that client can only use the resources by
application program but he could not extract the resources. How is it possible?
There is literally nothing you can do to entirely prevent someone from extracting the resources.
The best you can do is to make the process a bit difficult; e.g. by storing the resources in the JAR file in encrypted form. The problem is that your program would need to decrypt the resources in order to use them. Someone with sufficient skills and patience can reverse engineer your decryption code and capture the unencrypted resources.
By the way, this is not a Java-specific problem. Any application that you provide to a user as an executable can be reverse engineered ... assuming that the user has the wherewithal to run it in the first place.
The bottom line is that if you are not prepared for the possibility that someone might extract the resources, you should not distribute the executable.
This question already has answers here:
How do I "decompile" Java class files? [closed]
(19 answers)
Closed 8 years ago.
When i create a runnable jar file from a java source code file from eclipse, i believe it creates a class file which then can be run by the JVM.
The reason i am asking this is because i am going to be making an java application that keeps all my passwords. The app is going consist of an interface that asks for a password and then if the password is correct show the passwords. Here are my questions on this subject:
What exactly does a runnable *jar file* consist of?
If the runnable jar file consists of a class file, can that class file be interpreted in anyway to be able to see the source code which would revile the passwords?
when you run the runnable jar file from cmd and type "java -jar xxx". and "xxx" meaning the file name, does "-jar" mean you are going to run a jar file and "java" means run this following file in the JVM?
Is this like .exe files, which can't be un done to readable source code when turned into the .exe file.
For the unasked question: If your password is in the source code it will be in the class file in a pretty easy to find way.
A runnable jar file is a jar file (i.e. zip file with jar suffix) containing class files and special file containing information about which class to start.
You can decompile byte code: http://www.program-transformation.org/Transform/JavaDecompilers to get source code. But you can actually see the password in the byte code without decompiling it
yes. in java -jar xxx java means run the jvm using a jar file with name xxx
If you know the language and tools created you should be able to decompile exe file just as class files. And even if not passwords in the source code will be easy to find in the .exe file. So yes jar files are kind of like exe files, but they are different then what you describe.
If you want to make an application to maintain your passwords, make it so that it encrypts the stored passwords using a master password that you provide on startup as a user of the application. Never ever store passwords in source code.
Java class files can be disassembled back to readable Java code. Even easier, though, is that you can extract all passwords from the compiled class file because they are stored as plain text (try for example the strings command on a GNU machine).
So, no, the passwords are not inherently safe inside a class file (and therefore not in a jar archive, because jars can easily be unpacked).
What you need to do is implement some sort of encryption and let your program save the passwords in an encrypted file. Your program will then need you to input the decryption key to even be able to unpack the passwords. The key should not be included in the Java program, it should be provided by you each time you run the program.
Basically, however hard you try, it can be easily decompiled and read by anyone.
If you can, don't store the password, compare it online on your server (using asynchronous encryption) or store it using a master password given to the application every time.
If you can't, don't store the password as-is. The best thing I can think of is storing (and checking against) the hashcode of the password. User enters the password, it is then SHA-256'd and the resulting hashcode is compared to your stored hashcode of the password. Add salt to protect against rainbow tables.
The idea of this is that the hash function is only one-way, a password can't be recovered from its hash. Therefore, nobody should be able to get your password in a reasonable time if it's strong enough.
A very good read on this are the wiki links - but most notably this article on jasypt.org.
That said - if you tried to encrypt the file containing the hash to add another layer of security, the decrypted password could still be found using a decompiler and a debugger, so don't really count on it being supereffective against someone who would really want to get through. Therefore, it's more a security through obscurity than a real encryption.
my app download files from server into app. There could be lots of those file. One file is about 100 mb. I need to do something to safely keep them into my app.
Thirst i tried to encrypt files. How ever this is bad solution because to encrypt and decrypt 100 mb file (it's pdf file) take a some time. Also i need at a time to read this file so i need to decrypt and write decrypted file into some other file for reading at this time files is reachable.
Furthermore i can't keep this file in memory, because of file size. So maybe there is the way to encrypt directory in internal storage where file is saved ? Or this is not good idea as i should then encrypt every file in directory.
As my files is pdf, i could put password to int, but then how to do this ? Also i could try to check if device is rooted or not, but i think someone would find workaround.
So what would you suggest ?
Thanks
It seems like you have 3 options: to encrypt your data; to store the pdfs in a private folder; or to not store the files on-device.
1) Encrypt your data: As you've said, there are disadvantages because the pdfs are quite big and if you can't have those stored in memory, you need to write the decrypted files to file anyway before displaying them, so this doesn't really solve your problem.
2) Store the pdfs in a private folder: Alternatively you could store the pdfs in a private folder only accessible through your app. This can be done using
FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE);
as noted here. "MODE_PRIVATE will create the file (or replace a file of the same name) and make it private to your application". The only problem I see with this is if people are using rooted phones and can access your app's private folders. The only way around this (as far as I know) is to use option 3.
3) Don't store the files on device: You could download the data, or parts of it, each time. This will guarantee that people can't copy the files because they never persist on the device. You could use Google Docs to stream only portions of the document to reduce download requirements if you want. The problem with this is the huge data requirement.
I think you need to weigh up the pros and cons and decide which is best for you. I'd personally go with option 2. I don't think you'll find a solution that addresses all the problems.
I have a requirement to download multiple files from server and zip them into one file. So that user will have to deal with only one file while downloading.
I need in Java/JSP code or Javascript
It's very easy.
First, allow the user to choose files (if the application requires them to do so).
Then on clicking download create a zipped file dynamically and add all chosen files. Allow the user to download this file.
I'd used Zip functions in PHP for similar functionality in the past.
You can refer Compressing and Decompressing data using Java APIs from Sun Developers Network (SDN) on Oracle website.
I am doing a project in java and in that i need to add and modify my
text file at runtime,which is grouped in the jar.
I am using class.getResourceAsStream(filename) this method we
can read that file from class path.
i want to write into the same textfile.
What is the possible solution for this.
If i can't update the text file in jar what other solution is there?
Appreciate any help.
The easiest solution here is to not put the file in the jar. It sounds like you are putting files in your jar so that your user only needs to worry about one file that contains everything related to that program. This is an artificial constraint and just add headaches.
There is a simple solution that still allows you to distribute just the jar file. At start up, attempt to read the file from the file system. If you don't find it, use default values that are encoded in you program. Then when changes are made, you can write it to the file system.
In general, you can't update a file that you located using getResourceAsStream. It might be a file in a JAR/ZIP file ... and writing it would entail rewriting the entire JAR file. It might be a remote file served up by a Url classloader.
For your sanity (and good practice), you should not attempt to update files that you access via the classpath. If you need to, read the file out of the JAR file (or whatever), copy it into the regular file system, and then update the copy.
I'm not saying that it is impossible to do this in all cases. Indeed, in most normal cases you can do it with some effort. However, this is not supported, and there are no standard APIs for doing this.
Furthermore, attempts to update resources are liable to cause anomalies in the classloader. For example, I'd expect resources in JAR files to not update (from the perspective of the application) until the application restarted. But resources in exploded JAR files probably would update ... though new resources might not show up.
Finally, there are cases where updating a resource is impossible:
When the user doesn't have write access to the application's installation directory. This is typical for a properly administered UNIX / Linux machine.
When the JAR file is fetched from a remote server, you are likely not to be able to write the updates back.
When you are using an arbitrary custom classloader, you've got no way of knowing where the actual bytes of an updated resource should be stored, and no way of storing them.
All JAR rewriting techniques in Java look similar. Open the Jar file, read all of it's contents, and write a new Jar file containing the unmodified contents (and the modifications you whished to make). Such techniques are not advisable for a Jar file on the class path, much less a Jar file you're running from.
If you decide you must do it this way, Java World has a few articles:
Modifying Archives, Part 1
Modifying Archives, Part 2
A good solution that avoids the need to put your items into a Jar file is to read (if present) a properties file out of a hidden subdirectory in the user's home directory. The logic looks a bit like this:
if (the hidden directory named after my application doesn't exist) {
makeTheHiddenDirectory();
writeTheDefaultPropertiesFile();
}
Properties appProps = new Properties();
appProps.load(new FileInputStream(fileInHiddenDir));
...
... After the appProps have changed ...
...
appProps.store(new FileOutputStream(fileInHiddenDir), "Do not modify this file");
Look to java.util.Properties, and keep in mind that they have two different load and store formats (key = value based and XML based). Pick the one that suits you best.
If i can't update the text file in jar what other solution is there?
Store the information in any of:
Cookies
The server
Deploy the applet using 1.6.0_10+, launch it using JWS and use the PersistenceService to store the information. Here is my demo. of the PersistenceService.
Also, if your users will agree to a trusted applet (which seems overkill for this), you might write the information to a sub-directory of user.home.