In the future, I will be selling a jar file that contains 'sensitive' information (username/password) pertaining to a mysql online server database. What's the best way to go about preventing that information from being uncovered via decompilation? I heard obfuscating is one option; I'd be interested to hear any ideas. thanks

Question

In the future, I will be selling a jar file that contains 'sensitive' information (username/password) pertaining to a mysql online server database.   What's the best way to go about preventing that information from being uncovered via decompilation?  I heard obfuscating is one option; I'd be interested to hear any ideas.  thanks

lyrae · Answer

You usually don't, because of the problem you mentioned yourself. No matter how good your obfuscation or whatever method you'll be using are, there's always a big security risk involved with distributing sensitive information. What you really want wouldn't be obfuscation of the java code itself but rather obfuscation of the generated byte code since a disassemble of the byte code necessarily won't result in your obfuscated java code. It's also possible for someone to analyse the memory profile of your application and since the password and username most likely will be assembled and passed to some kind of DB-driver as strings they'll be fully exposed at some point in memory. http://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation Further more, unless your DB-host doesn't provide secure communication with the server there's a chance your username and password will be sent as plain text to the server when program establishes a connection and authenticates. This means that someone locally can intercept the credentials using a packet sniffer like Wireshark and that they'll be exposed to any one on the internet who happen to intercept the packet stream. One of the common solutions is to have the program communicate with a API instead of interfacing directly to the database, HTTP-Json for example. This also gives you better control of how the database is used and you can provide extra protection against stuff like DDOS. Most web services (if not all) provide SQL connections over localhost with also means your SQL credentials will be as safe as your server-side code and web hosts security.

woodrow73 · Answer

I Appreciate the well-thought out answer..  for now I'll probably get rid of the online database feature, and do something with file IO.   Though it sounds fun; what one can do when you learn all that networking stuff.