I need to write automated test scripts for webapp and tests require user credentials for login recieved from csv file. The problem is that it's my personal credentials and they are shared for some other services but all project is under svn and I need some way to hide my credentials.
I there some way to store credentials in some "closed" method or library and get credentials with methods like getUserName() and getPassword().
Thanks.
You can save them to properties file and encrypt it.. Now, when your web application up, it will decrypt file and read all credentials store in memory using java.util.Properties and than you can use them whenever you want.
Related
I'm developing an Android app which has a service to upload images/files to a FTP server.
To make that possible, the app on the device has to log in into the FTP server before sending data.
And here comes my problem. The user does not need to / have to know about the FTP login data. Only the app itself. I have to store the login data in the Java class. But how should I secure the user and password?
I could encrypt it or obfuscate it. But I think it would be possible for a hacker to read the password at the runtime when the "setPassword(passwordString) methods is called by the JVM:
String passwordString = "myPass";
JSch ssh = new JSch();
session = ssh.getSession(SFTP_USER, HOST_ADDRESS, 22);
session.setPassword(passwordString);
So how could I store my credentials inside the APK file and secure them? I don't want anyone to get access to my FTP server.
how could I store my credentials inside the APK file and secure them? I don't want anyone to get access to my FTP server.
The stated problem cannot be solved.
It does not matter how clever your obfuscation technique is. If you hide fixed credentials in the APK file then someone who analyses your app is going to find them.
If you take only one thing from this answer, let it be that having a single, static password for your server is extremely problematic, as you'll never be able to change the password server-side, because you'd break all the apps. It will be a matter of time before your password is public knowledge and there will be nothing you can do about it.
Any reasonable approach requires separate access credentials for every individual user.
A traditional user sign-up system that involves a confirmation email is a pretty good approach. You can use something like Google+ sign-in or Facebook Connect to minimize the hassle for the end user.
If you absolutely insist on having zero user interaction, an approach that might work (somewhat) is to have the app register for Google Cloud Messaging and then send it a push notification containing access credentials, which the app will store in the KeyChain.
If you generate a unique user ID and password for every app installation, you'll be able to monitor the server and block any abusive access credentials without affecting any of the other users. If you somehow factor the code signing identity of the APK file into the process, you'll have a basic defense against people repackaging your app. This approach will not protect you against an intelligent attacker, but it might raise the bar high enough for your purposes.
Also, regardless what you do, be sure to properly verify your server's SSL certificate. If you don't, an attacker will simply run your connection through a proxy server.
I wish to publish my app with open source as example for users. The problem is that I have class that downloads from ftp, and there is password and username written in the class. I wish to hide this information from user. I made an external jar file but with site like: http://jd.benow.ca/ that is Java Decompiler it can be easily opened, how can I hide and make it hard to hack to the username and password that written in one of my classes?
Creates a file where you'll register your username and password. Then you just have to never commit this file in your repository and not share it.
This topic is very similar to yours, maybe the answer will interest you: How can I protect MySQL username and password from decompiling?
In case of an open source project, use web service for assigning username and password to the user who is using project with there application. To implement this, you need to implement some SOAP base approach with axis-2 in java, if that LIB is build in java and simply call the methods with your business logic.
Last but not the least, try to create username and password for the user who download's this LIB so that you don't need to share your username and password with the jar of source files .
I'm developing a Java application which is run in Windows domain environment.
To authenticate users I'm using Krb5LoginModule available in JAAS.
JAAS Login Configuration File (let's call it jaas.conf) is embedded in application jar, which is stored on network share (read-only access).
Now every user can copy the application jar to his local disk, edit jaas.conf, and set his own LoginModule which would allow him to act as different user.
Is there any way to prevent this? How to secure the application?
Usr e Pwd must be provided by user. You have to call your own login interface where the user can provide username and password. Why you want put the usr&pwd into the jaas.conf?
Anyway, if you want to lock the usr&pwd you can
use certificate
crypt into the file
write into a code
I have to create a java application wich makes a connection to a DB.
Everything is easy until this point. But I need to include a configuration option with the porpouse of allow the end user enter their own parameters (server host, user, pass, database, port, etc.) in order to connect to the DB. Another easy task. Now every time the user starts the application I need to read these presets given by the end user, in other way remember the user's connection preferences.
I found an easy way to do this using the Properties library in the Java's API. But I have a security issue. The user's preferences are exposed to be access easily (username and password mainly).
Is there a way to save this parameters encrypted?
I need a good and simpliest solution for this security issue.
I doubt it. In FileZilla Client 3.6.0.2, I found my login data easily without encrypted. If it was possible to save this parameters encrypted, FileZilla would do it.
I am trying to create an application (in java) to monitor files in Dropbox (File added, File deleted, File modified... etc). I can get my application to generate a https url using the DropboxAPI. The problem is that I have to manually copy and paste the url into a browser, log in on that browser and hit allow. Once they do this once I can easily store the information so they do not have to redo this process. Unfortunately the program does not stay running up and is frequently restarted.
My hope is that it is possible to get past this step since I will have access to the users Dropbox password and username already in the application.
Any suggestions?
When you say "easily store this information", what information are you storing and where are you storing it?
Once you finish the OAuth flow, save the access token somewhere persistent (like to a file or to a database). That way, if your program gets restarted you just load the access token and use that without re-doing the OAuth flow.
In the official Dropbox Java SDK, load your saved access token and then call setAccessTokenPair.
I have written a simple program to upload files to dropbox server, for backup purpose.
If you are looking for an implementation . You may check out the code via https://github.com/Jintian/dropbox.