I'm currently building an Eclipse plugin which creates and stores sensitive data, let's say "highscores".
As users can simply unpack the jar file, they are able to see the source code of the project. Thus they are able to cheat and create a faked highscore file by either changing the data in the file itself or writing to the highscore file (as they know how the data is encrypted from the source code).
Can I encrypt my jar file so that users cannot read the source code, but the plugin is still working properly?
As greg-449 already commented, that when the code is with user, it can be hacked in one way or the another. If Encryption of secure data is not going to help, you can move the secure data on your server.
Impact would be, it is available only when the user is online.
Another solution, a bit complex one:
Don't store High Score at all. Store/ log the user's activities to calculate high score. make the logs encrypted to add more security. Use salt, timestamp and secure key while encryption and a checksum to prevent manual changes to the file.
Related
I recently created a password manager using Java for my college project in OOP. To handle database I picked SQLite since using MySQL or SQL server was getting hectic for a small project. Though I am already done with the submission, I was thinking if I could do any further improvement in the project.
Biggest drawback that I have observed yet is that if anyone manages to find the location of database in the system (which is way too easy) it would be very simple to open the database.
Now here two problem arises -
User's password list will be visible
Anyone would be able to modify the data using SQLite manager.
In order to solve the first problem, I already used AES encryption and it is working just fine. However, the second problem still remains.
So in a nut shell, How can I prevent my SQLite DB to get modified except from the Password Manager itself?
Point to note that my application is just an offline Password Manager used on a household PC. So, you can consider the level of threat accordingly. Moreover, the Password Manager itself would have to modify the database content, so assigning the permission should be such that it should not prevent the application to do so.
Note: I was wondering if we can use the limitation of SQLite that only one connection to write the data can be established at a time. Using this the intruder won't be able to modify it. But, I am not sure how it can be implemented.
Restrict user access
Only the operating system can secure files against access by unauthorized persons. Put the database into a folder, which is only accessible by the current user, and have a separate database for each user.
Encryption
You're already encrypting the passwords, that's good. If you want to encrypt the whole database, you could have a look at the SQLite Encryption Extension.
The SQLite Encryption Extension (SEE) is an add-on to the public domain version of SQLite that allows an application to read and write encrypted database files.
Also have a look at the question SQLite with encryption/password protection.
Attack
What would actually happen if someone has access to the database file?
If the database is secured properly, the attacker is not able to get the plain passwords (at least not in reasonable time). In the worst case a password is replaced by another one, but that would achieve nothing, besides you using the wrong password and maybe resetting it. Therefore the worst case would be that you'll lose your saved passwords.
You can do nothing to prevent a data loss on a single machine. For example hard disks sometimes just stop working, someone could steal the whole PC, format the hard disk, etc.
Backups
If you really want to make sure that the data is not modified, you need to keep backups on different machines to minimize the possiblity that someone has access to all of them. For example you could upload the database file to a cloud service. Then you sign the file, so that you can see if a file was compromise and if so fallback to another version.
Conclusion
Your password manager is good enough for an offline tool. If you want to improve the data integrity you have to transfer the data to other machines.
I'm developing a desktop JavaFX application and plan on putting the database and server connection details into configuration files in a hidden folder on the windows machine.
The connection details will contain passwords. I know these should not be in plain text so how should I encrypt them so that only the application can read them?
I will try use a native installer to protect the source code.
Any advice on securing a java desktop app would be great, I really don't know much about security
The base of securely encrypting is that one secret is not stored on disk but only know by a user. If you cannot use that, you can only try obfuscation, that is all the information is there but much harder to read.
Here you could encrypt the data with a password known by the application, store pieces of the password in different variables, and then at run time:
assemble the password
read and decode the configuration
erase the variable containing the password if that last operation is possible (unsure using plain Java)
But this will not protect the data from a user that is ready to analyse the Java bytecode, it will just require a very heavy work - that's why it is not security but just objuscation.
Normal encryption would need a key (file) somewhere, and that is not too difficult.
However if you want to do it totally dynamically, without trace such a jar (zip format) which inside has some key file. Then use
Random random = new Random(42_424_242);
The Random constructor with a number selects a fixed random sequence, hence now you have got a sequence of numbers to encrypt/decrypte a byte sequence, say user xor-ing,
bytes[i] = (byte) (bytes[i] ^ random.nextInt(256));
Not unbeatable, but needs hacking.
I wrote a Java program which needs to read a local source data file (the data is to large to be hard-coded into the program). Is it possible that I create a JAR package for the program without containing the local source data file (in order to keep the file private)? Or I have to encrypt the local file?
There is no real way to keep the file or data private. Not even encryption. If your program can read the data, then any one who has the same permissions as your program on that machine can read that data. At best you can make it a little inconvenient for someone to read the data - but you cannot prevent it.
If you encrypt the file - where will you keep the encryption key. If you program can read the encryption key, then a person also can. If you hardcode the encryption key in the program, then again the key can be got from the program binary.
We are building a service to front fetching remote static files to our android app. The service will give a readout of the current md5 checksum of a file. The concept is that we retain the static file on the device until the checksum changes. When the file changes, the service will return a different checksum and this is the trigger for the device to download the file again.
I was thinking of just laying the downloaded files down in the file system with a .md5 file next to each one. When the code starts up, I'd go over all the files and make a map of file_name (known to be unique) to checksum. Then on requests for a file I'd check the remote service (whose response would only be checked every few minutes) and compare the result against that in the map.
The more I thought about this, the more I thought someone must have already done it. So before I put time into this I was wondering if there was a project out there doing this. I did some searching but could not find any.
Yes, it's built into HTTP. You can use conditional requests and cache files based on ETags, Last-Modified, etc. If you are looking for a library that implements your particular caching scheme, it's a bit unlikely that one exists. Write one and share it on GitHub :)
I've got a project from my college to make a folder lock application using Java.
I have no idea how to go about it. Please give some clues on how to make a folder\file password protected ?.
It is totally native dependent.
You need to protect/encrypt/hide the folder using native features.
and if your app validates the user reverse the process
A daemon thread or service will be running,for lock folder management that is for locking,unlocking, displaying alerts etc..
Going with fast and efficient encryption and decryption algorithm is also another challenge as the number of files in the folders grow ,the efficiency should not decline.
At the same time,users and password list should be secured which should not be os dependents. File tampering etc should also be dealt with !!
If you dont want it dependent on a specific OS you can go this way:
zip it using:
http://download.oracle.com/javase/1.3/docs/api/java/util/zip/package-summary.html
encrypt it using:
http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html
delete safely the original data by first replacing all the characters in the files with random data and then deleting those files.