Android Question keep password in app

Discussion in 'Android Questions' started by omidaghakhani1368, Feb 12, 2015.

  1. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

    Hi.
    How i use password in basic4android without anyone see my password in code?

    example i declare
    Dim pass as string
    pass = "111111"

    now if anyone extract apk file with apk tool and can see my password in java class file

    is there any solution?
     
    ArminKH likes this.
  2. Cableguy

    Cableguy Expert Licensed User

    You have many solutions. The most common is to NOT hardcore the password inside your code. Instead encrypt it go a fîle and read it when needed.
     
  3. KZero

    KZero Active Member Licensed User

    encryption will make it bit harder but still possible for advanced users to get the un-encrypted password from the memory
     
  4. Cableguy

    Cableguy Expert Licensed User

    The keyword being "advanced user"... Those with knowledge are able the break into the most secure domains and servers...
    95% of android user don't even know that a poorly structured app can drain battery or have memory leaks...
     
    KZero likes this.
  5. KMatle

    KMatle Expert Licensed User

    :D:D:cool:

    What is the reason you need that pw? Maybe there is a better way...
     
    thedesolatesoul, KZero and Cableguy like this.
  6. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

    Thankyou but i can extract many apk file and get password from it and acctually crack it.
    I dont want seen my password in code :(
     
  7. Erel

    Erel Administrator Staff Member Licensed User

    omidaghakhani1368 and eps like this.
  8. KMatle

    KMatle Expert Licensed User

    Get a step back: What are you doing with this password? What is it good for?
     
  9. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

    for login to my panel.if my username and password seen in code so my site would be hack
     
  10. eps

    eps Well-Known Member Licensed User

    See Erel's post above.
     
  11. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

  12. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

    I can get good result with declare string sub globals.Thank you @Erel
     
  13. KMatle

    KMatle Expert Licensed User

    You could use Random Access File to create an encrypted file (on first start or provide it in Dir.Assest). Use try & catch for the decryption (to know if the pw is correct or wrong) So you don't have to put your pw in the code :D
     
  14. omidaghakhani1368

    omidaghakhani1368 Well-Known Member Licensed User

    I can use varible in Process_Globals and select release(obcusfate) and decompile my apk file
    Yes,i search variable value and not found in java class and it's correct ,i'm happy
     
  15. ArminKH

    ArminKH Well-Known Member

    I have same issue omid :-( and obfuscation not Guaranteed my passwords security 100% :-(
     
  16. KMatle

    KMatle Expert Licensed User

    Again: What is it good for?

    Local Login as some sort of Admin? (then: to do what?)

    A good choice is to use Random Access File. Put the User in the file end encrypt it with your password (generate it once and put it into Dir.Asset). Then decrypt it (use try/catch because almost all methods throw an exception, here if the pw is wrong).
     
  17. Erel

    Erel Administrator Staff Member Licensed User

    Obfuscation will obfuscate all process global strings. The result will be quite difficult to reverse engineer.
     
  18. ArminKH

    ArminKH Well-Known Member

    I am using a php server for comunicate with b4a
    On client side i can send a parameter or any secure statement with parameters to php and thats return a response
    But if some body decompile my app or sniff my post request then they can know the structure of a valid post request
    now they can send a request without any limits frequently from any app or any simple html forms
    So i decide to use a key on client and server side
    Now if any requests sent to server then on php side i regenerate my key with a special algorithm and if both of them be equal then php return a valid response
    Now for doing this on secure way,i use an string on process_global fore store my key
    And when i want send a request ,i encrypt that by using md5 and combine my request with other statement and at last send it and on server side i split that string and chek my key,etc......
    Now my problem just is store my key on client side however i know thats not any 100 % secure way to store a string except obfuscation
    And by using any encryption lib the result is same because we should store our password key for decrypt that again.
    And For more explain about this thread
    http://www.b4x.com/android/forum/th...crypted-file-in-code.20976/page-2#post-328792
    is relevant

    @KMatle @Erel thank u both and excuse me 4 my english
     
    Last edited: Apr 2, 2015
  19. KMatle

    KMatle Expert Licensed User

    Ok, it's like all the others using php. No big thing. I would handle this with a login procedure:

    1. ALL users have to register with a pw and get a registration mail with a link to click to finish registration (very simple with a MySQL database)
    2. After registration ALL users have to log in via your app
    3. With this you can check if a valid & logged in user is using your app (all other php requests will not work because they have to login). Maybe you want to use the imei, too (works only with phones)
    4. When you need to store local data then use this mail address and the users pw to encrypt a random access file.
    5. You code can then be analyzed by others but without effect (knowing the post/get string will not harm anything without a login)

    It's less about protecting the app - it's more about handling requests safe.

    Example (registratiion): http://www.b4x.com/android/forum/th...on-using-httputils2-php-mysql-and-mail.42745/
     
    Peter Simpson likes this.
  20. ArminKH

    ArminKH Well-Known Member

    @KMatle
    Thank u again but my app has a web service and identified the users (check user and pass with a site)then if user has actual user and pass then he/she can create a username on my server
    Until this step i have not any problem
    And as you said i can identify my user by email validation or sending a sms to user phone
    But if i use this way then the register steps be too long
    1-enter username and pass
    2-waiting for webpage load
    3-Enter captcha security code
    4-If identified then send an registeration key to email
    5-Enter key
    6-Check validation of key and register user
    and some extra steps

    If i use my app and see 5 6 or more steps to register maybe its better if i cancel registeration on step 2 or 3 :D
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice