password string in clojure: how to prevent decompile

Question

I have a clojure app that will share with some people. And there are username password pre-defined in the clojure. If some guy get the app and decompile it, he might see the password. My only intention is to hidden the password/username. what's the simple way to do it. I created the jar file using

lein uberjar

and then send the standalone jar file as client code.

Answer 1

If you can't rely on an external service (no internet connection), you can store the hash of the password in a file of your uberjar.

; utility methods
(defn to-base64 [bytes]
  (String. (.encode (java.util.Base64/getEncoder) bytes)))

; function to encrypt string formatted password
(defn encrypt-password [string]
  (let [ sha (java.security.MessageDigest/getInstance "SHA")]
  (.update sha (.getBytes string))
  (to-base64
    (.digest sha))))

; call this one time, to store the secret in encrypted form
; this would be part of your jar file, but regular users cannot
; (probably) decrypt this.
(defn save-password [ secret-password ]
  (spit
    "secret"
    (encrypt-password secret-password)))

; use this to validate this
(defn validate-password [ input ]
  (.equalsIgnoreCase
    (String. (slurp "secret"))
    (String. (encrypt-password input))))

Finally, you can create and check passwords with the above methods:

(save-password "hello")
(validate-password "hello")
; true

(save-password "hellome!")
(validate-password "hello")
; false

Answer 2

You cannot prevent decompilation, you can only obfuscate it. Depending on your security requirements, this may be adequate. Otherwise, you should really look at moving those sensitive username and password calls into an authenticated service that you control. If you update the question to give more info, we might be able to give more specific recomendations.