Android Question jRDC Security

[alyami]

When decompile APK file it was very easy to find jRDC server address and all SQL command name,

How can we secure this not to be disclosed?

 

[aeric]

There must be something wrong with your design.
You should write queries to allow read/write if the conditions are met such as checking for username and password.

 

[Erel]

1. You cannot really hide data inside your app.
2. All communication, including SSL, can be decrypted quite easily. It is a matter of installing a trusted certificate and a proxy.
This is true with any programming language.

 

[alyami]

I think you misunderstand me, I am talking about the APK file for Android, if a hacker get the APK file for jRDC App, he can easily decompile it then get all information needed to access data on server the way he likes.

this website decompile APK of your releases App, then produce all Java files of your source code where you can find everything

APK decompiler - decompile Android .apk ✓ ONLINE ✓

Decompile Android Apk applications and extract Java source code and resources ✓ ONLINE ✓

www.javadecompilers.com

you will get 2 folders:
resouces
soureces

your code will be at source\"Package name"
sources\b4a\"your app name"

b4xmainpage.java is where most of your code in, text format

try it

 

[Erel]

We both exactly understood you.

 

[Erel]

Think of a bank account. They will never rely on anything "secret" inside the client app.

If you are letting your users access sensitive data then you must authenticate your users. And do it correctly (on the server side).

 

[aeric]

The point is let say Bob extract your APK, he get the server URL and the names of the command. The command eg. "sql.LoginUser" does not provide the actual SQL command, as the actual command is stored at the server. If he is a registered user, of course he can execute the command and get back a result to let him access as his access. He is still unable to do other things what he not suppose to do. You can use encryption, restrict by user access control or roles, return a short live token or whatsoever to make it harder if you are concern. Bob doesn't have full access to the database such as Delete a table or updating other user's data. The queries or available commands must be very limited.

 

[knutf]

Based on Erel's original thread about jRDC2, it is not easy for me to understand how authentication on the server side should be done. Can someone please show an example. It is nice if the example is based on Erel's example.

 

[aeric]

Based on Erel's original thread about jRDC2, it is not easy for me to understand how authentication on the server side should be done. Can someone please show an example. It is nice if the example is based on Erel's example.

I suggest you start a new thread.

 

[knutf]

suggest you start a new thread.

It's here