Okay, I apologize in advance for this question, as it is quite broad.
Basically, I am developing a system involving:
- A website where users can register an account. This process will create a new database on the server for that account.
- A client side external application written in Java. This will access the data in the database in order to perform useful operations for the user.
- The databases themselves which are created in the first point.
My question is about what security measures should be implemented in order to keep the databases secure and how to transfer data securely.
My concerns are:
- How is a MySQL database actually secured? When I create the database at the point of account registration, do I need to set a password for that database? Does this encrypt the database? Is this enough to prevent someone from accessing the data?
- Java is pretty easy to decompile. Assuming I am to store the log in data for an account database in a master database, how do I secure that database and connect to it from my application in a way which doesn’t require me to hard code the details for connecting to that database in the application. I believe this must be an issue in languages which are compiled to native code too, as someone could just perform a memory dump to get hold of such variables at run time of the application (I think).
- When sending and receiving data to the client from the server and vice versa, how do I prevent someone from network eavesdropping and getting hold of the data (whether this be log in credentials or other data from the database). I assume this is what SSL is for, but is that all I need to use?
A possible answer to these questions is to use a middle man service in between the Java client side application and the database, much the same way you would use PHP in between Javascript and a MySQL database (although the PHP is a necessity in this case). I assume this middle man service would contain the log in credentials for the master database etc. and would contain its own methods for preventing unauthorized access. If this is correct, how would I go about setting up such a service? Would it be possible to utilize a PHP script from a Java application to transfer data?
I hope my question makes sense and isn’t too ambiguous.
Thanks in advance for your time.
You are correct in assuming that your client application should never store database authentication information. It is far too easy to decompile a Java application to retrieve those connection strings.
Instead, as I think you understand, you should expose a web service providing the information your app requires. There are a few ways you can go about this. You could, for example, write a REST interface so that your clients make HTTP calls to your server and receive JSON or XML responses back. You could also write a Java RMI server that allows your client to make remote method calls on the server to find the information they need. Without a more specific question or constraints, I can’t really advise on which is more appropriate.