Wish More Security

chrjak

Active Member
Licensed User
In b4a apps you can read every password out of an apk... FTP, File encryption, etc

Could you make it harder to hack a password erel? For example a #Password# Command? That the string between this command will be encrypted in the apk or something like that?
 

DonManfred

Expert
Licensed User
Why are you storing unencrypted passwords in your code?
If you need safety; DO IT YOURSELF. Use encrypted passwords (and so on), compile your app obfuscated
 

chrjak

Active Member
Licensed User
is it possibile to encrypt your password in the b4a code?

If you code with java it is possible to hide your password... i know

But even in obfuscated mode the password is in the main.java file visible... the only changing is that the variable name is changed (thats what obfusacted mode does...)
 
Last edited:

Cableguy

Expert
Licensed User
You have the encryption lib, and you have code obfuscation.
General "good coding rules" say to never hard code passwords... encrypt them and save to a file. When needed, read the file and decrypt! Even assets can be encrypted now!
 

wonder

Expert
Licensed User
Can anyone post a "good practice" example? I want to secure my DB password. So far I have it hard-coded in Process_Globals with obfuscation.
I'm sure there's a better way.
 

chrjak

Active Member
Licensed User
hey cable,

how do you decrypt the asset files when you don't use a hard code password?
 

Cableguy

Expert
Licensed User
Search the forum, there are hundreds of examples... There is a tool to encript the assets folder and a tutorial on how to decrypt when needed. Just use "encrypt assets" in the search box, and guess what...!? Its the first result shown!!!!
 

Erel

Administrator
Staff member
Licensed User
You should use Release obfuscated and set the string as a process global string. It will be obfuscated.
 

chrjak

Active Member
Licensed User
Search the forum, there are hundreds of examples... There is a tool to encript the assets folder and a tutorial on how to decrypt when needed. Just use "encrypt assets" in the search box, and guess what...!? Its the first result shown!!!!
I know. I was there already. but that:

Private Sub UnpackEncryptedAssets(StoreName AsString, Password AsString, Version As Int)
....
end sub

Is hard code....
 

chrjak

Active Member
Licensed User
You should use Release obfuscated and set the string as a process global string. It will be obfuscated.
Thanks. I tested already. In the .java there is "" when you use obfuscated... Is there absolutely no way to make it visible? That is great :)
 

Erel

Administrator
Staff member
Licensed User
There is always a way to decompile strings. Obfuscation makes it more difficult.
 
Top