问题
I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.
The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.
I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .
Anyone has suggestions?
回答1:
Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).
See this wonderful answer for more detailed explanation : By William Brendel
回答2:
For a small and simple app where you don't want to involve a lot of other security measures, this should probably be a configuration option. When you deploy your application, it could read a configuration file where the database connection properties are specified. This means that application per se doesn't know the password, but you need to gain access to the server to find the password.
回答3:
Some datas should be configurable. Just now as you told, it may be a username and password or some common datas; Normally what we do is creating a property-configuration page. What I used to do is use an XML file, keep your password/username in some encrypted format. You can easily parse an XML to retrieve your password for connectivity.
This ensures the reliability that your passwords can be changed at any time. This refers not to passwords only. but any data that you use, which is to be configured from time to time.
来源:https://stackoverflow.com/questions/8195099/java-how-to-store-password-used-in-application