Hide FTP Server password

This is exactly the purpose of the new code obfuscator included in v1.8: Android Code Obfuscation

You should declare the password in Sub Process_Globals. It will then be obfuscated.

thx for quick response.
Feedback: Problem solved, thx Erel.

Is your password hardcoded into your activity code then or is stored/encryted elsewhere in your application?

Martin.

For example i have an API key for the World Weather Online API and wouldn't want others to be able to decompile my application and then find and use my API key.

Is a password or API key best stored in a database or is that not secure?

Martin.

When your app contains the FTP password (encrypted or not, obfuscated or not) the password will be sent unencrypted over the network. When you put a netword sniffer one will be able to see the password anyway.

The only solution for this is to use any of the asymmetric encryption protocols such as SFTP.

Wim

But let's say i'm making a request to the World Weather Online API for JSON data regarding the weather.

My app needs to use my API key so is there any way of including my API key in my app without exposing it to a decompiler?

I realise a network sniffer program can always grab unencryted data.

Shall i start a new thread i wonder - i'll search the forum a bit first.

Thanks for the reply anyway.

Martin.

In short: no

the application CAN be decompiled: obfuscation will only make it (much) harder to pinpoint the location in code where the password is. You can also use some methods to create the password (eg: different methods that generate part of the password, which is then concatenated etc ...): when these methods are obfuscated they will no longer have a useful name (eg: "GetFirstPartOfPassword" will becoime "dsdsfsdfss1" - I don't know which obfuscation algorithms are being used, so this is just an example).

It can be to such an extend that network sniffing is easier than grabbing the password in code.

The only safe method is by using an assymmetric encryption algorithm, which basically boils down to:

- the server is generating a random string; being send to the app
- the app encrypts the random string using the public key and send this back to the server
- the server decrypts it again using a private key and check whether it matches.

The private and the public key are different: the app will only know the public key and based on the public key, the private key can not be generated.

But the standard FTP protocol does not support this.

Wim

Thanks for the detailed reply.

I'll shall have to think up some devious method of my own to protect the API key.

It's no great problem with the World Weather Online API - if anyone else used my key then the worst thing that could happen is that they'd exceed the usage quota and get my API key blocked.

Obviously passwords to FTP sites and similar need a higher degree of protection.

Martin.

In order to make use of the built-in string obfuscation feature you should make sure that all the "important" strings are declared in Process_Globals sub.