I have an APP (Android) and a service made in PHP.
I send information between them and now there is a security problem that I need to encrypt the data very much.
I need to encrypt in java and when I get to the service (PHP) I need to decrypt the content that has arrived.
Is there any native function in JAVA and PHP that already does this?
I found some examples in Google and here in stackoverflow, but nothing that I described in PHP
Ok, 1st if you consider encryption or decryption depends on any specific language or vice-versa, then It's not true. Any encryption/decryption is a concept which available in all languages and surely support by one another.
Now come to your question, as far as I can understand your question, you are looking for approach which encrypt data in JAVA and decrypt same in PHP. Please correct me if I m wrong.
Below I am sharing process/approach which may help you to design/setup your architecture about it.
1) Let's assume you are aming to implement MD5 encryption/description in your application.
2) In java you can achieve all publicly available encryption either inbuilt or by third party jars, just create utility class and create separate bean with required fields, then add required logic in utils class and pass same information to bean.
3) Now Pass that bean data to web-api which is written in PHP (method you prefer get/post), most of the time in PHP it is String only.
4) Inside PHP code pass that information in fashion which describe in below link:
Encp/Decp in php
And in the end just follow below answer, I guess it is bit close to what you are looking for.
Note: I use MD5 just to explain how to setup an architecture and kick-off for base, but in real environment avoid using MD5 as now n-number way available to bypass this one, best use some strong encpy/decpy technique/algorithm like triple DES, RSA, AES etc.
Java and Php relation for encp/decpt
Related
I am willing to use java email api for my android app. I got it from this link. But as mentioned here in the link, to use this api, I need to give my own email id and password in GmailSender as Plain Text. For this reason I am tensed about my password. If anyone decompile the apk file then he can easily get my email id and password.
But I don't know how to store these sensitive data into my code safely.
How can I do this?
Note: I am not willing to use any third party library to encrypt thses data
It is nearly impossible to completely protect your app from reversal engineering, especially without any third party library.
BUT instead you can create another e-mail, with a different password, and configure it to resend any email received to your official e-mail.
This way if anyone actually manage to reverse the code and get the password, they will only have access to this secondary and unimportant e-mail account. This should solve the problem.
More info about actually protecting the code here:
How to avoid reverse engineering of an APK file?
How to make apk Secure. Protecting from Decompile
You should obfuscate your password string before keeping it in your source code. You can:
Do it manually, It can be take a time.
Or use some automatic tools. If you don't want to use any third party library to encrypt these data, Bg+ Anti Decompiler/Obfuscator is a good choice for you. It works on java source code (not Java byte-code) so you will control everything
I am searching for a way to encrypt a binary file and decrypt the file (probably with javacode) later to make use of it. I only want to decrypt it in Java itself because if it's get decrypted on my local drive, the security is gone...
Is this possible with bouncycastle?
Is bouncycastle api hard to work with? (I know java basics)
Does it need to be decrypted if you want to make use of the file?
Strangely formulated question but:
yes of course you can encrypt/decrypt data in java
yes bouncy castle can do it but you can also do it without bouncy castle
bouncy castle is an awesome library but can be rather complex to work with
yes you can perform the encryption/decryption entirely in memory though you should consider whether or not your swap is encrypted as well, otherwise it won't matter
Do you want PBE (password-based encryption)? I would assume so otherwise you need to consider other aspects like how/where to save the keys.
In short: security is hard.
I'm building a basic webapp that takes in a user input and returns an encrypted password.
Problem is, currently the SecretKey I am using is stored in the src for the Java class. To me, it seems this is risky practice so I'm trying to find a way to safely store my SecretKey.
Doing some research, I found the Java KeyStore class but I'm not entirely sure if this is what I need. Also, if this is what I need, can you guys point me in the direction of how to implement it, and more importantly, how it works?
Thanks
Edit: From doing a lot of thinking/reading it seems like there really isn't a great solution and really a solution isn't needed so long as your main server is secure, which mine will be, so it's not an issue.
Thank you for all the replies! :)
Passwords should be stored using one way hash functions that way your system avoids this problem. See https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
If you are talking about your encryption key, then there is no secure way to store that key safely in JavaScript. I guess the storage you are talking about its the browsers local storage, which is nothing more then a persistent cookie on browser side.
Everybody that uses the chrome WebInspector or Firefox Firebug can easly read this store for any page he is visiting. Furthermore, you would have to save it in this store by JavaScript and as everybody can read your source code in the browser, its even more obvious.
The only possibilty to do such things safely is Server-Sided, like with PHP for example. If you though want the feeling of interactive behaviour, you can use AJAX on clientside to interact with the backend.
EDIT:
Ah, I think I got you wrong as you are talking about Java in Backend? If yes I think there is no Problem when u have the key hardcoded in your compiled sources??? If you want to store it somewhere else and are afraid someone uses it, you could salt and hash it in your application before you use it for key generation (of course the salt is hardcoded then)?
I have android application that has hard coded (static string constants) credentials (user/pass) for sending emails via SMTP.
The problem is that .dex file in .apk can be easily reverse-engineered and everybody can see my password.
Is there a way how to secure these credentials, while i will still be able to use them in my classes?
We can use "jni module" to keep 'Sensitive Hardcoded Strings' in the app. when we try to reverse engineer APK file we get lib folder and .so files in respective process-folders. which can not decrypt.
You can save your string obfuscated by AES.
In Licensing Verification Library you can find AESObfuscator. In LVL it is used to obfuscate cached license info that is read instead of asking Android Market to find out application is licensed or not. LVL can be downloaded as component of SDK.
I guess you can try a code obfuscator, but really that won't make your password 100% secure and I don't know how well it goes along with the android compiler. Why not use a secured web authentication , like that of Google?
Hashing is not possible since it is not two way.
Any encryption such as AES, DES, blowfish, etch is not a viable solution as you have to include the decryption part within your app and that can be decompiled with a combination of apktool, dex2jar and JD (java decompiler) which is a very powerful combo while decompiling any apk.
Even code obfuscators don't do anything except make life a little more difficult for the decompiling guy, who'll eventually get it anyways.
The only way which I think would work to an extent would be to host the credentials on a server which only your application can access via a web-service call through a separate authentication of some kind - similar to FB's hash key thing. If it works for them, it should work for us.
I was looking into a similar problem and came across this useful thread:
http://www.dreamincode.net/forums/topic/208159-protect-plain-string-from-decompilers/
I'm not too familiar with Android development, but the same ideas should apply.
doing these would be useful:
1- you can encrypt them and obfuscate the encrypting algorithm. any encryption along with obfuscation (progaurd in Adnroid) is useful.
2- you better to hardcode your strings as byte array in your code. many reverse engineering applications can get a list of your hardcoded strings and guess what they are. but when they are in form of byte array they are not readable. but again Proguard is necessary. (it only hides from RAM string constant searching and they are still searchable from .class file)
3- using C++ code to host your constant is not a bad idea if you encrypt them before hardcoding and decrypt them using C++ code.
there is also a great article here :
https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/
If you do not have the means to do a web authorization you will need to include the third party decryption with you application.
This is what you could try
1) Write a standalone program only to create a password hash one time. (This program should not be a part of your app). Make a note of the hash that was generated.
http://www.mindrot.org/projects/jBCrypt/
// Hash a password for the first time.
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));
2) Store this password hash as a String constant in you APK.
3) Then every time you need to check the password, compare with the hashed password, using bcrypt.
// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
System.out.println("It matches");
else
System.out.println("It does not match");
jBCrypt is a single java file and it can be directly included in your application. It is considered one of the strongest encryption algorithms for passwords.
Even through the decryption algorithm is present in you APK, trying to break this is very time consuming details of which can be read in the article below.
Read this article for details and security of bcrypt.
http://codahale.com/how-to-safely-store-a-password/
Again, use this only if you do not have the means to do web based authentication.
Use some kind of trivial encryption or cipher that only you (and your code) understand. Reverse the string, store it as array of integers where you need to take the mod of 217 or something silly to find the real password.
One way you can 100% secure you hard-coded string.
Firstly don't use pro-guard use allatori
Link: http://www.allatori.com/
And secondly don't take you hard coded string in any variable just use that string like this:
if(var=="abc"){}
"abc" is exampled hard coded string.
Allatori fully obfuscate all string that are used in code like above.
Hope it will help for you.
I have two web apps in one domain. One is written by ruby another is by java. And my rails app is using db session. So there have a "sessions" table in my database. What I want to do is reading the session info from this table in java.
Here is my problem: Rails' sessions table is encrypted. So I can not read it directly from JDBC.
I don't want to write a decrypt code to convert it. Because it's not a good idea to split one logic both in java and rails. So I hope to find a way to cancel the encrypt session data behavior in rails. Does anyone know how to wirte it in rails config file?
Thanks!
The encryption scheme isn't going to change in the Rails code, so it's not a horrible thing to implement the decryption in Java. If you want to take this route, refer to this question. However, if you really want to prevent encryption, it's not well documented, but in config/environment.rb it would probably suffice to make sure that the hash in config.action_controller.session does not contain an entry with the key :secret. Make sure you secure your database with other means though!