I have a client application that connects to the server through a secure / SSL socket. The user must log in when the application starts. Right now, I have a requirement that I need to send the actual password to the server (encrypted over SSL) instead of the preferred method of sending the password hash. With that said, how can I safely store the password in client memory so that I can reuse this password if the client needs to reconnect to the server behind the scenes due to a lost connection?
I can easily encrypt the password or even put it in the KeyStore and get it later for reconnecting, however, even if I do, it seems to me that the hacker can get the password if he has access to the application in the debugger. Is it just a fact of life when you need to temporarily store a password on a client?
Is there a better / preferred way to achieve the same thing (for example, allowing the client to reconnect to the server without requiring the user to re-enter their password after the initial login)? Will the login login sent from the server expire (where can I transfer this expiring token back to the server instead of the password when reconnecting)?
Finally, in general, how easy is it for someone to connect a debugger to a running application on the Java or Android desktop when the application is correctly "devoid of" debugging symbols? Do I even need to worry about this case, or will Java protect my delivery application from using a debugger or other memory analyzer?
source
share