Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
As you know anyone can access strings in an native application using a hex editor.
In a Java application it is possible to decompile the Bytecodes and access strings and other things (like application logic).
Now when I’m connecting to a database my password is stored in application strings.
How Can I protect these strings (passwords,…) against Hex editors & decompilation?
Thanks
Nothing you release to the public is private. There is no protection scheme that a sufficiently motivated attacker cannot break. If anybody had one, they’d be making millions selling it to Hollywood! (Plenty of people are making millions selling ones that don’t work…)
You have three basic options:
1) Design the database with procedures and permissions such that having the direct login doesn’t allow the user to do anything they couldn’t have done through the application anyway.
2) Tie user accounts to database accounts and have users login with their own username.
3) Put an application server in front of the database. Your client connects to the application server and calls service methods on it. So only those functions you expose on the app server are exposed to the public. This is the standard way of doing things.