Is there a way to save a static password in a way that it’s really hard to find in the compiled app?
There’s two different apps I need that for. One is a lightweight FTP client for Windows that only connects to one hard-coded server.
The other is an Objective C game that lets users create level packs and use passwords to save them. They can be played without password, but not opened in the level editor. I’m encrypting the passwords with AES, but I have to somehow save the password for decryption.
The only idea I’ve found so far is saving the password not as one string, but as multiple strings. This could work really well for the game because I could just connect strings that are already there. Or I could save it as a long string and use a secret algorithm to get the password out of that string – although that begs the question: can C apps on Windows or Cocoa apps on OS X simply be decompiled to find that algorithm?
Are there more secure ways to do that?
String literals are usually retained and stored somewhere in the binary even in compiled C source.
What you could do is a similar method to how (properly implemented) web apps validate login information where that info is stored in a database. Just store the password in hashed form. Often, the method is to use MD5 + salt (here is a description and some sample PHP code). What you can do is instead of transmitting or storing the plaintext password, just hash the user input and check the hash against the stored hash value. Matching hashes corresponds to matching passwords.
EDIT
This won’t help with the FTP server case though, since you cannot modify its source code…