Android Question using ftp in my app

ilan said:

hi

i have a question please, i am using ftp in my app and i need to enter my username and password to be able to upload files to my ftp server. my question is how to protect my password and username so it won't be that easy to get it from my app??

should i put the username and password as global variables and use "Release (obfuscated)" ?
will that be enough to protect my username and password?

thanx, ilan

Click to expand...

This is a really good question. I have often wondered the same thing.

I found the following on the web:
Compliant Solution. This compliant solution retrieves the server IP address from an external file located in a secure directory,

Modifying this for B4A, maybe something like store the username and password in the DirDefaultInternal directory and then access it from that directory in code. But, this leaves several security holes:

• How do you get it to that directory?
• Someone could trace your code during execution and get the values.
• And, I'm sure several others.

What is the preferred method to store and access hardcoded username/password values?

Barry.

ilan said:

should i put the username and password as global variables and use "Release (obfuscated)" ?
will that be enough to protect my username and password?

Click to expand...

It will help protect from very simple (and popular) hacks. Nothing more.

FTP is not really a good solution if your app is not in a closed environment. A web service will give more control.

This probably adds very little but I stored the ftp details in a local file encrypted with B4XCipher and then the password for this is not stored in the program as a string
but rather is returned from a function where there is a series of statements like:
sPass = sPass & Chr(66)

@j_o_h_n : the function will then be the weak point.
Executing its code step-by-step, an attacker will end up with the needed password to decrypt your file; this way FTP credentials will be finally known.

A stronger approach could be to ask a remote server on an SSL connection for the FTP credentials. The requester should identify itself by a unique ID which should be recorded on the server to verify a match. This poses the problem: "how to define a unique ID and how to exchange it at first place".

Another approach is to hide some info in a stenographic way; I seem to recall that @Informatix worked a detailed document on this kind of approach in his ProBundle stuff.

@udg
Yes I agree with your view I suppose I just considered it as one more hurdle in the way.

i would create a ftp user only for this app and give it permissions to a upload folder.
u need secure-ftp or a vpn to hide the login if u use www.
the login-data i would crypt in the code or a file.
u should also check if the ftp server you send login is yours.

MarkusR said:

i would create a ftp user only for this app and give it permissions to a upload folder.

Click to expand...

this is a very good idea. like this the only folder that could be hacked is the folder that that specific app uses.

just a thought (this goes to erel).

it would be nice if the b4a commands for ftp.uploads/downloads would have different command names or maybe it would be more awesome if we could define our own strings for any b4a function maybe in a XML file so instead of call ftp.upload(x,x,x,x) we could rename it to excel.createfile(x,x,x,x)
it would be harder like this to understand the code and hack our information.

is that possible? to let us choose how to call a function (define function names by our self?)

EDIT: if i would be a hacker the first thing i would look for in a code is a string with UPLOAD, DOWNLOAD so such string harder to find the real function in a code ...

Nothing will help to make FTP secure. Unless you are using FTPS (FTP over SSL) then everything is sent as plain text. This means that any network sniffer will reveal the username and password.