I develop application with Java.
I need to store some initial configuration data in some kind of file.
I want my app to be able to read this data, but I don't want user to do so.
Example : application loads IP from encrypted file. User sees like "dsda##21da#" so he won't bother doing anything :)
How should I do such a thing?
Thanx!
Are we talking about standard users or IT-savvy users?
For standard users i'd recommend to store the string base64 encoded. Or Just in an undefined binary format.
Otherwise... encryption with a hardcoded key?
If (as you say) you manage user passwords, you should not store them at all. Clear text, static keys, custom keys, it doesn't matter - someone with access to the data store and your program will always be able to retrieve them. What you do instead is use salt and a good hash function and store/compare only the hash values.
Possibly OT, but since you mentioned it is configuration data; I know I'd be a little peeved to have gibberish shown to me by an application. Either allow the users to see the data, and modify it at their risk ... or do not allow the configuration to be visible at all.
As a rule of thumb, if it is sensitive data ... don't store it in your application.
Related
In my software I want to store some data, that later they will be used. Something like a database to hold data:
Date, source path, destination path, and an array of file names.
Also another table to hold information about ftp connection:
Host, port, username and password
I need to know what methods are available to store and parse these data. I noticed there is a file type called .csv, is this an option for me? And is there any other option?
I think this depends a lot on how much data you want to store and how you need to access it.
If your application is going to be collecting a lot of structured data, such as user profiles, or product information, ie, if your application is all about a database then, yes as others have commented some sort of SQL database would make sense.
If your needs are more along the lines of just storing some "session" information, maybe like the last state of a GUI form for example, you might want to just serialize the data and write it to a simple text file.
One simple way to do that would be to serialize the data in a human readable format such as JSON and then write the text to a file, and then read it back and deserialize it when you need to restore it from storage.
If this is what you are looking for take a look at gson (from google), it provides a very easy what to convert a java object to JSON and back again.
JSON, is just text, so you can just read and write it to a simple text file.
I am developing an android application through which i am sending a mail via GMAIL API.
To send mail via GMAIL API i have to give them my ID and password.
GMailSender m = new GMailSender("myemailhere#gmail.com",
"mypasswordhere");
and i know writing password like this is not at all safe as my password could easily be stolen by extracting my apk and alsostoring the password in strings.xml is also not secure as xml can also retrieved.
my question is-
Is there any other way to write password in my file so that it remain secure??
The short answer is not. You shouldn't store your password anywhere in the code or in any file.
Even if you encrypt it like someone said you will have to store it's decryption algorithm/key somewhere in the code, which will be easily reverse engineered.
No,It's not safe to store passwords on the device.
small advice is always store passwords in char[] in encrypted form rather than storing in a String whenever it is mandatory to store.
Since Strings are immutable in Java if you store password as plain text it will be available in memory until Garbage collector clears it and since Strings are used in String pool for re-usability there is pretty high chance that it will be remain in memory for long duration, which pose a security threat. Since any one who has access to memory dump can find the password in clear text and that's another reason you should always use an encrypted password than plain text. Since Strings are immutable there is no way contents of Strings can be changed because any change will produce new String. So Storing password in character array clearly mitigates security risk of stealing password.
Storing passwords is not considered safe, and shouldn't be done if at all avoidable. There are a few considerations, if you have to for some reason.
The best place to store such things is in private SharedPreferences. These are not readable by anything but the app, or rooted devices. Do not store on external storage!!!
Encryption can always be undone, but if you have to, then it would be better than nothing, requiring more work to undo. Use a key which is unique to each device.
Some sort of a token, such as is used by Oauth, could be a solution. This isn't perfectly secure either, but it could be.
Google provides more secure APIs for it's functions. You really should look in to that.
I am making an auto chat client like Cleverbot for school. I have everything working, but I need a way to make a knowledge base of responses. I was going to make a matrix with all the responses that I need the bot to say, but I think it would be hard to edit the code every time I want to add a responses to the bot. This is the code that I have for the knowledge base matrix:
`String[][] Database={
{"hi","hello","howdy","hey"},//possible user input
{"hi","hello","hey"},//response
{"how are you", "how r u", "how r you", "how are u"},
{"good","doing well"}`
How would I make a matrix like this from a text file? Is there a better way than reading from a text file to deal with this?
You could...
Use a properties file
The properties file is something that can easily be read into (and stored from, but you're not interested in that) Java. The class java.util.Properties can make that easier, but it's fairly simple to load it and then you access it like a Map.
hello.input=hi,hello,howdy,hey
hello.output=hi,hello,hey
Note the matching formats there. This has its own set of problems and challenges to work with, but it lets you easily pull things in to and out of properties files.
Store it in JSON
Lots of things use JSON for a serialization format. And thus, there are lots of libraries that you can use to read and store from it. It would again make some things easier and have its own set of challenges.
{
"greeting":{
"input":["hi","hello","howdy","hey"],
"output":["hi","hello","hey"]
}
}
Something like that. And then again, you read this and store it into your data structures. You could store JSON in a number of places such as document databases (like couch) which would make for easy updates, changes, and access... given you're running that database.
Which brings us to...
Embedded databases
There are lots of databases that you can stick right in your application and access it like a database. Nice queries, proper relationships between objects. There are lots of advantages to using a database when you actually want a database rather than hobbling strings together and doing all the work yourself.
Custom serialization
You could create a class (instead of a 2d array) and then store the data in a class (in which it might be a 2d array, but that's an implementation detail). At this point, you could implement Serializable and write the writeObject and readObject methods and store the data somehow in a file which you could then read back into the object directly. If you have the administration ability of adding new things as part of this application (or another that uses the same class) you could forgo the human readable aspect of it and use the admin tool (that you write) to update the object.
Lots of others
This is just the tip of the iceberg. There are lots of ways to go about this.
P.S.
Please change the name of the variable from Database to something in lower case that better describes it such as input2output or the like. Upper case names are typically reserved for class names (unless its all upper case, in which case it's a final static field)
A common solution would be to dump the data in to a properties file, and then load it with the standard Properties.load(...) method.
Once you have your data like that, you can then access the data by a map-like interface.
You could find different ways of storing the data in the file like:
userinput=hi,hello,howdy,hey
response=hi,hello,hey
...
Then, when you read the file, you can split the values on the comma:
String[] expectHello = properties.getProperty("userinput").split(",");
What I am doing is making a console blackjack for fun. I want to save the money so users can play day by day but I don't want to save it in a text file where the user can easily change the amount as they please.
I already thought of making a hidden file or a encrypted file with a password but I don't like that. I want it to be sort of like when you open some random dll file, all you see is gibberish that you can't understand.
A bulletproof way to prevent users from tampering with their stats is to store stats away from them, on a remote server. This will require users to be online during play, though. OTOH you'd be able to show a ladder of top players and so on.
An encrypted file is probably the best route if you want offline storage. You just need to hide the file properly.
Before modifying the file, read its modification time. After the update, restore the time. The user will have harder time figuring out which file has changed.
Use an innocent file used by your game with a data block inside allowed by format. It could be an XML file storing the encrypted string in a comment. It could be a JPG or PNG file storing the encrypted string in a comment or EXIF section, at a known offset (so you don't need to parse the file). WAV, OGG, MP3 also allow inclusion of non-interpreted data. This is not real steganography when you hide your data inside the actual pixel values and such, and is far easier.
I suppose you understand that a determined cracker with a disassembler and a debugger can crack this scheme. But an average user probably won't bother.
It sounds like you are talking about Steganography, but traditional encryption is probably safer and easier to implement.
You can encrypt the values within the file:
Have a look at: http://dinofilias.com/encrypt.htm
With basic encryption like this as long as the user does not have access to the key, your data is relatively secure.
You can get the effect of having a file that contains gibberish using encryption. Just save the encrypted data as bytes (not converted to ASCII representation). Since the encrypted data can have values between 0x00 and 0xFF, there will be gibberish.
Here is a simple example of how to encrypt text: http://www.exampledepot.com/egs/javax.crypto/desstring.html
Android's security manual says that it is not safe to keep public key (used for Android market) just as a string and it should be hidden/encoded somehow.
Can somebody please provide me with example how it can be done?
(I don't have separate server, so it can not be stored there)
Upd. Believe, this is quite common task related not to Android, but to other apps also.
The relevant text from the page you linked to is this:
Important: To keep your public key safe from malicious users and
hackers, do not embed your public key as an entire literal string.
Instead, construct the string at runtime from pieces or use bit
manipulation (for example, XOR with some other string) to hide the
actual key. The key itself is not secret information, but you do not
want to make it easy for a hacker or malicious user to replace the
public key with another key.
That's pretty much all you need to know. There's no harm in people knowing your public key, the potential harm here is that someone replaces the public key in your program with their own in an effort to divert in-app purchases to their own account.
They're suggesting that you make it more difficult for that attacker by storing the key in separate pieces or XORing the key with some other string. Now, instead of just pasting their key over yours, they have to figure out what transforms you're doing to the string and make their own key fit that pattern. This is more work and might deter casual attackers, but won't prevent someone who is really determined.
If you use the Keytool utility this is all done for you. You'll get a .keystore file on your local computer containing your private key(s) that is encrypted with a password; keep that file and the password secret and you're secure.
http://developer.android.com/guide/publishing/app-signing.html
In fact I believe the Android plugin for Eclipse even does all of this for you automatically.
On the public key, you can hash it and save it as a hash value. Better yet would be to salt the hash value with something you would know when you need to get the hashed value back. May be something like user name, or ESN. Look at android.telephony.TelephonyManager.getDeviceId()