Reputation: 15158
Security of Database passwords (and other important private strings ) in a java application
As you know anyone can access strings in an native application using a hex editor.
In a Java application it is possible to decompile the Bytecodes and access strings and other things (like application logic).
Now when I'm connecting to a database my password is stored in application strings.
How Can I protect these strings (passwords,...) against Hex editors & decompilation?
Thanks
Upvotes: 0
Views: 163
Answers (1)
Reputation: 47984
Nothing you release to the public is private. There is no protection scheme that a sufficiently motivated attacker cannot break. If anybody had one, they'd be making millions selling it to Hollywood! (Plenty of people are making millions selling ones that don't work...)
You have three basic options:
1) Design the database with procedures and permissions such that having the direct login doesn't allow the user to do anything they couldn't have done through the application anyway.
2) Tie user accounts to database accounts and have users login with their own username.
3) Put an application server in front of the database. Your client connects to the application server and calls service methods on it. So only those functions you expose on the app server are exposed to the public. This is the standard way of doing things.
Upvotes: 4
Related Questions
- Password security in Java - Converting char[] to String
- How can I protect MySQL username and password from decompiling?
- Storing/Reading sensitive data from Java program
- Where do you store database passwords?
- Securing database information inside Java application
- How to connect to a database that requires password without exposing the password?
- Password Encryption
- Keeping user passwords safe in Java?
- Secure database password using a SQL connection
- How are secure database connections usually implemented in JAR files?