How to protect SFTP password in APK?

Question

How to protect SFTP password in APK?

I am developing an Android application that has a service for uploading images / files to an FTP server. To do this, the application must be connected to the FTP server before sending data. And here is my problem. The user should not / should know about ftp login data. Only the application itself. I have to store login data in a Java class. But how can I protect the user and password. I could hide it or confuse it. But I think that a hacker could read the password at runtime when the JVM is called with the setPassword (passwordString) method:

String passwordString = "myPass";

JSch ssh = new JSch();
session = ssh.getSession(SFTP_USER, HOST_ADDRESS, 22);
session.setPassword(passwordString);

So, how can I store my credentials in the APK and protect them? I do not want anyone accessing my FTP server.

thank

+4

java android security credentials sftp

Devalex Sep 19 '14 at 20:57

source share

1 answer

Barend · Accepted Answer · 2014-09-19T21:31:29+0000

How can I store my credentials in the APK and protect them? I do not want anyone accessing my FTP server.

The stated problem cannot be resolved.

It doesn't matter how smart your obfuscation technique is, if you hide the fixed credentials in an APK file, then someone who analyzes your application will find them.

If you take only one thing from this answer, let it be with a single static password for your server, this is very problematic , since you can never change the password server because you broke all the applications. It will be a matter of time before your password becomes public, and there is nothing you can do about it.

.

, , . - Google+ Facebook Connect .

, , , ( ), - Google, push-, , KeyChain, , , . - APK , . , , .

, , , SSL- . , -.

How to protect SFTP password in APK?

More articles: