Wish More Security

Discussion in 'Bugs & wishlist' started by chrjak, Feb 7, 2015.

  1. chrjak

    chrjak Active Member Licensed User

    In b4a apps you can read every password out of an apk... FTP, File encryption, etc

    Could you make it harder to hack a password erel? For example a #Password# Command? That the string between this command will be encrypted in the apk or something like that?
     
  2. DonManfred

    DonManfred Expert Licensed User

    Why are you storing unencrypted passwords in your code?
    If you need safety; DO IT YOURSELF. Use encrypted passwords (and so on), compile your app obfuscated
     
    thedesolatesoul likes this.
  3. chrjak

    chrjak Active Member Licensed User

    is it possibile to encrypt your password in the b4a code?

    If you code with java it is possible to hide your password... i know

    But even in obfuscated mode the password is in the main.java file visible... the only changing is that the variable name is changed (thats what obfusacted mode does...)
     
    Last edited: Feb 7, 2015
  4. Cableguy

    Cableguy Expert Licensed User

    You have the encryption lib, and you have code obfuscation.
    General "good coding rules" say to never hard code passwords... encrypt them and save to a file. When needed, read the file and decrypt! Even assets can be encrypted now!
     
  5. chrjak

    chrjak Active Member Licensed User

    but then the password for the password file has to be hard coded!?
     
  6. wonder

    wonder Expert Licensed User

    Can anyone post a "good practice" example? I want to secure my DB password. So far I have it hard-coded in Process_Globals with obfuscation.
    I'm sure there's a better way.
     
  7. Cableguy

    Cableguy Expert Licensed User

    Give it a nonsense variable name and encrypt it to a file
     
  8. wonder

    wonder Expert Licensed User

    Cool, I think I know how to do it! :)
     
  9. chrjak

    chrjak Active Member Licensed User

    hey cable,

    how do you decrypt the asset files when you don't use a hard code password?
     
  10. Cableguy

    Cableguy Expert Licensed User

    Search the forum, there are hundreds of examples... There is a tool to encript the assets folder and a tutorial on how to decrypt when needed. Just use "encrypt assets" in the search box, and guess what...!? Its the first result shown!!!!
     
  11. Erel

    Erel Administrator Staff Member Licensed User

    You should use Release obfuscated and set the string as a process global string. It will be obfuscated.
     
  12. chrjak

    chrjak Active Member Licensed User

    I know. I was there already. but that:

    Private Sub UnpackEncryptedAssets(StoreName AsString, Password AsString, Version As Int)
    ....
    end sub

    Is hard code....
     
  13. chrjak

    chrjak Active Member Licensed User

    Thanks. I tested already. In the .java there is "" when you use obfuscated... Is there absolutely no way to make it visible? That is great :)
     
  14. Erel

    Erel Administrator Staff Member Licensed User

    There is always a way to decompile strings. Obfuscation makes it more difficult.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice