×

Discussion Board

Results 1 to 7 of 7

Thread: Protecting apps

  1. #1
    Registered User
    Join Date
    Feb 2010
    Posts
    4

    Protecting apps

    Hi,

    I'm interested in finding out what you guys are implenting to protect your apps from decompilation of jar files. I've read a lot about obfuscation in forums and other material.
    But the main problem is obfuscation does not help with strings. In my app I trade XML between app and the server. It also has a user/pass. How do I protect this from hackers trying to decompile it?

  2. #2
    Super Contributor
    Join Date
    Mar 2008
    Location
    The Capital of INDIA
    Posts
    4,328

    Re: Protecting apps

    Hello,

    As you share that you are not putting your XML inside the jar, then how it will be possible to have the xml out of the jar,
    Thanks with Regards,

    R a j - The K e r n e l


    Join Delhi-NCR Nokia Developer's Community,

  3. #3
    Registered User
    Join Date
    Feb 2010
    Posts
    4

    Re: Protecting apps

    Not sure I understand your reply but the XML that I create is inside the jar as a string which I then POST to the https secure server .

    The xml contains user/pass for authentication.

    for eg:

    String xml_to_send = "<getAccount><appuser>testuser</user><appass>testpass</apppass></getAccount>";
    this.posttohttpsserver(xml_to_send);

    Now if anyone decompiles even a obfuscated jar, xml_to_send string would give away the xml data exchange format, user, pass etc. How do you protect this?

  4. #4
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Protecting apps

    Storing a password in plain text is never a good idea. At the very least, you might want to encrypt it.

    Of course, even if you encrypt it, someone can decompile the code and discover the decryption algorithm. You can make this harder with obfuscation but, realistically, it doesn't make it much harder. And, someone could still run the application in an emulator and watch the network traffic to see what the app sends.

    Having the user input the password is the only really secure way.

    Graham.

  5. #5
    Super Contributor
    Join Date
    Mar 2008
    Location
    The Capital of INDIA
    Posts
    4,328

    Thumbs up Re: Protecting apps

    Hello,
    What I was saying that you did not writ that you are storing the XML inside the jar file. BTW, really storing the user id and password or any other important information must not be saved inside the jar file.

    What I have understand after reading your second post is that you are saving the information in the XML, and then at the time of the calling server URL, you are reading the same from the XML/ or the complete XML, you are sending on the server...correct?

    For that why dont you let the user enter user id and password after registering, and then you send the same after encrypting, on the server for validation.
    Thanks with Regards,

    R a j - The K e r n e l


    Join Delhi-NCR Nokia Developer's Community,

  6. #6
    Registered User
    Join Date
    Feb 2010
    Posts
    4

    Re: Protecting apps

    Hi,

    User/pass is one of the problems. I want to hide the XML format and tags etc.
    I have two sets of user/pass - one that a user enters and one that the app has to send to the server to identify itself that is hardcoded. It is the second one I have a problem with.

    In other works, the app send a user/pass along with the user/pass that the user entered, server checks and then allows.

    Decompilation is a headache to protect against. Someone can decompile, makes changes and attacks the server after working out the XML format, tags, app user, app pass etc.

  7. #7
    Super Contributor
    Join Date
    Mar 2008
    Location
    The Capital of INDIA
    Posts
    4,328

    Re: Protecting apps

    Hello,

    app has to send to the server to identify itself that is hardcoded.
    I guess that this is the correct one and the one which will be used by the server to verify the user...correct.

    I think that you can send through the sms,first you send the sms with the correct user id and password and then you send the entered one as usual.
    is this make some sense?
    Thanks with Regards,

    R a j - The K e r n e l


    Join Delhi-NCR Nokia Developer's Community,

Similar Threads

  1. [help][nokia 5800] Java apps from memory card after hard reset!
    By cientista99 in forum Mobile Java General
    Replies: 0
    Last Post: 2009-12-30, 18:04
  2. Problem in removing j2me apps on nokia navigator.
    By either1 in forum Mobile Java Games
    Replies: 0
    Last Post: 2009-12-24, 02:52
  3. Replies: 0
    Last Post: 2009-06-12, 03:54
  4. Is USA market for J2ME evaporating?
    By pcarew in forum Mobile Java General
    Replies: 12
    Last Post: 2005-10-15, 02:51
  5. set apps to be run background manually
    By Rx-lee in forum Symbian
    Replies: 2
    Last Post: 2004-09-14, 08:58

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×