Android Question keep password in app

omidaghakhani1368

Well-Known Member
Licensed User
Hi.
How i use password in basic4android without anyone see my password in code?

example i declare
Dim pass as string
pass = "111111"

now if anyone extract apk file with apk tool and can see my password in java class file

is there any solution?
 

Cableguy

Expert
Licensed User
You have many solutions. The most common is to NOT hardcore the password inside your code. Instead encrypt it go a fîle and read it when needed.
 

KZero

Active Member
Licensed User
encryption will make it bit harder but still possible for advanced users to get the un-encrypted password from the memory
 

Cableguy

Expert
Licensed User
encryption will make it bit harder but still possible for advanced users to get the un-encrypted password from the memory
The keyword being "advanced user"... Those with knowledge are able the break into the most secure domains and servers...
95% of android user don't even know that a poorly structured app can drain battery or have memory leaks...
 

omidaghakhani1368

Well-Known Member
Licensed User
Thankyou but i can extract many apk file and get password from it and acctually crack it.
I dont want seen my password in code :(
 

KMatle

Expert
Licensed User
You could use Random Access File to create an encrypted file (on first start or provide it in Dir.Assest). Use try & catch for the decryption (to know if the pw is correct or wrong) So you don't have to put your pw in the code :D
 

omidaghakhani1368

Well-Known Member
Licensed User
I can use varible in Process_Globals and select release(obcusfate) and decompile my apk file
Yes,i search variable value and not found in java class and it's correct ,i'm happy
 

ArminKH

Well-Known Member
I have same issue omid :-( and obfuscation not Guaranteed my passwords security 100% :-(
 

KMatle

Expert
Licensed User
Again: What is it good for?

Local Login as some sort of Admin? (then: to do what?)

A good choice is to use Random Access File. Put the User in the file end encrypt it with your password (generate it once and put it into Dir.Asset). Then decrypt it (use try/catch because almost all methods throw an exception, here if the pw is wrong).
 

ArminKH

Well-Known Member
I am using a php server for comunicate with b4a
On client side i can send a parameter or any secure statement with parameters to php and thats return a response
But if some body decompile my app or sniff my post request then they can know the structure of a valid post request
now they can send a request without any limits frequently from any app or any simple html forms
So i decide to use a key on client and server side
Now if any requests sent to server then on php side i regenerate my key with a special algorithm and if both of them be equal then php return a valid response
Now for doing this on secure way,i use an string on process_global fore store my key
And when i want send a request ,i encrypt that by using md5 and combine my request with other statement and at last send it and on server side i split that string and chek my key,etc......
Now my problem just is store my key on client side however i know thats not any 100 % secure way to store a string except obfuscation
And by using any encryption lib the result is same because we should store our password key for decrypt that again.
And For more explain about this thread
http://www.b4x.com/android/forum/th...crypted-file-in-code.20976/page-2#post-328792
is relevant

@KMatle @Erel thank u both and excuse me 4 my english
 
Last edited:

KMatle

Expert
Licensed User
Ok, it's like all the others using php. No big thing. I would handle this with a login procedure:

1. ALL users have to register with a pw and get a registration mail with a link to click to finish registration (very simple with a MySQL database)
2. After registration ALL users have to log in via your app
3. With this you can check if a valid & logged in user is using your app (all other php requests will not work because they have to login). Maybe you want to use the imei, too (works only with phones)
4. When you need to store local data then use this mail address and the users pw to encrypt a random access file.
5. You code can then be analyzed by others but without effect (knowing the post/get string will not harm anything without a login)

It's less about protecting the app - it's more about handling requests safe.

Example (registratiion): http://www.b4x.com/android/forum/th...on-using-httputils2-php-mysql-and-mail.42745/
 

ArminKH

Well-Known Member
@KMatle
Thank u again but my app has a web service and identified the users (check user and pass with a site)then if user has actual user and pass then he/she can create a username on my server
Until this step i have not any problem
And as you said i can identify my user by email validation or sending a sms to user phone
But if i use this way then the register steps be too long
1-enter username and pass
2-waiting for webpage load
3-Enter captcha security code
4-If identified then send an registeration key to email
5-Enter key
6-Check validation of key and register user
and some extra steps

If i use my app and see 5 6 or more steps to register maybe its better if i cancel registeration on step 2 or 3 :D
 
Top