0

I'm looking for a way to open a JDBC connection without specifying my database login and password in plain text, as the application will be distributed and any Java decompiler would reveal them, allowing the users to access the database easily.

Is there any way to encrypt them, or store them somewhere else?

Improve this question

2 Answers 2

Reset to default
3

Looks like you want to let Android application talk to your database directly? Don't do that. It's a major security flaw. No matter how you encrypt your credential, you have to reveal your plain text somewhere during the execution of the program, and anyone with a debugger can see that. The correct way is to have use an API on your web service and call that API from client. All database transaction should happen in a trusted intranet.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

In connection to this I recommend using JSON messages sent through an encrypted (TLS/SSL) connection to a webserver, which then handles the request and sends back a response to the mobile device ("Success!", "John Johnson", "42", etc.).
1

Why would you want to do this? Generally the business side of your application would have this info and connect to MySQL. There, a user does not have access to any code. Then you create an endpoint that actually is accessible to the public. There you can worry about passing username and password stuff to the business logic, which again, actually has direct access to your database.

Basically, do not open a jdbc connection anywhere but your server side. Its a security measure.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.