Android Question jRDC Security

alyami · Jul 20, 2024

When decompile APK file it was very easy to find jRDC server address and all SQL command name,

How can we secure this not to be disclosed?

aeric · Jul 20, 2024

There must be something wrong with your design.
You should write queries to allow read/write if the conditions are met such as checking for username and password.

Erel · Jul 21, 2024

1. You cannot really hide data inside your app.
2. All communication, including SSL, can be decrypted quite easily. It is a matter of installing a trusted certificate and a proxy.
This is true with any programming language.

alyami · Jul 21, 2024

I think you misunderstand me, I am talking about the APK file for Android, if a hacker get the APK file for jRDC App, he can easily decompile it then get all information needed to access data on server the way he likes.

this website decompile APK of your releases App, then produce all Java files of your source code where you can find everything

APK decompiler - decompile Android .apk ✓ ONLINE ✓

Decompile Android Apk applications and extract Java source code and resources ✓ ONLINE ✓

www.javadecompilers.com

you will get 2 folders:
resouces
soureces

your code will be at source\"Package name"
sources\b4a\"your app name"

b4xmainpage.java is where most of your code in, text format

try it

Erel · Jul 21, 2024

We both exactly understood you.

Erel · Jul 21, 2024

Think of a bank account. They will never rely on anything "secret" inside the client app.

If you are letting your users access sensitive data then you must authenticate your users. And do it correctly (on the server side).

aeric · Jul 21, 2024

The point is let say Bob extract your APK, he get the server URL and the names of the command. The command eg. "sql.LoginUser" does not provide the actual SQL command, as the actual command is stored at the server. If he is a registered user, of course he can execute the command and get back a result to let him access as his access. He is still unable to do other things what he not suppose to do. You can use encryption, restrict by user access control or roles, return a short live token or whatsoever to make it harder if you are concern. Bob doesn't have full access to the database such as Delete a table or updating other user's data. The queries or available commands must be very limited.

knutf · Jul 24, 2024

Based on Erel's original thread about jRDC2, it is not easy for me to understand how authentication on the server side should be done. Can someone please show an example. It is nice if the example is based on Erel's example.

aeric · Jul 24, 2024

knutf said:
Based on Erel's original thread about jRDC2, it is not easy for me to understand how authentication on the server side should be done. Can someone please show an example. It is nice if the example is based on Erel's example.

I suggest you start a new thread.

knutf · Jul 24, 2024

aeric said:
suggest you start a new thread.

It's here

Android Question jRDC Security

alyami

Member

aeric

Expert

Erel

B4X founder

alyami

Member

APK decompiler - decompile Android .apk ✓ ONLINE ✓

Erel

B4X founder

Erel

B4X founder

aeric

Expert

knutf

Active Member

aeric

Expert

knutf

Active Member

Similar Threads

Android Question jRDC Security

Member

Expert

B4X founder

Member

B4X founder

B4X founder

Expert

Active Member

Expert

Active Member

Similar Threads

Privacy & Transparency

Privacy & Transparency