Find solution
How to protect my ftp account?

How to protect ftp account information in the source code of a program

  • I wrote a game which stores high score information on an ftp server. In the the source code I need to write out the ftp link with the account name and password in it. For example: url = new URL("ftp://name:[email protected]/"); This is java, btw. In the class file strings are preserved as they are written in the source code. So if someone were able to read the class file the could find this string, , with the user name and password in plain sight, as plain as slight gets in a class file anyway. What would be an appropriate way to secure the user name and password? Edit: I made an encryption class in java and replaced the name and password with calls to the encrypter with an encrypted user name and password for example: url = new URL("ftp://Crypter.crypt("q345uih34",3)+:+Crypter.crypt("nfk3iugr29o8",-2)[email protected]/"); Would this be sufficient? And I wasn't sure if obfuscation was the best solutions though.

  • Answer:

    There are a number of attack vectors in this scenario, so just hiding the password will not help: any code that you give away to people can be manipulated. This means that an attacker can just set his high score to an arbitrary value ftp, in the way you use it, is unencrypted, so the complete communication will show up in a network sniffer such as http://www.wireshark.org/ the attacker can just set a breakpoint on the constructor of the URL class (very simple but a bit annoying because there are usually many calls to new URL(). the attacker can http://www.varaneckas.com/jad and search for "new URL", obfuscating will not help because this method is part of the Java API and therefore cannot be obfuscated. If he cannot understand the source code, he can add debug output or just place the breakpoint at a better place. the attacker can use byte code enhancing to add a logging message to the constructor of the URL class So it does not really matter how and where you hide your ftp password. The only good solution is to have a server which does the highscore calculation itself (and even this way has the issue of bots). You should at least use a protocol that supports encryption (https, sftp, ftps). You need to ensure that someone who learns the credentials cannot destroy the high score data of other users. This can be done by tight permissions that allow only the creation of new files in the ftps/sftp-server or by using a web application that accepts the data and store it itself.

Ratz at Information Security Visit the source

Was this solution helpful to you?

Other answers

FTP is the probably the wrong way to go about this. It's a clear text protocol so anyone with a sniffer can intercept the authentication request and extract the credentials, no matter how much you obfuscate them in the program.

john

Why can't you just send some key/value pairs to your server as a $post request with some sort of authentication to ensure it's not manipulated?

niggles

Heavy obfuscation, Google suggestion breaking any potentially important information into chucks and storing it random places. I'd just suggest making a really simple database, with a really simple web app. App Engine has a free quota based Java web hosting. There are other free web hosts that will do what you need. Storing credentials in a program however WILL bite you in the ass.

Sparksis

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.