Skip to content
Advertisement

How to secure an SFTP password in an APK file

I’m developing an Android app which has a service to upload images/files to a FTP server.

To make that possible, the app on the device has to log in into the FTP server before sending data.

And here comes my problem. The user does not need to / have to know about the FTP login data. Only the app itself. I have to store the login data in the Java class. But how should I secure the user and password?

I could encrypt it or obfuscate it. But I think it would be possible for a hacker to read the password at the runtime when the “setPassword(passwordString) methods is called by the JVM:

String passwordString = "myPass";

JSch ssh = new JSch();
session = ssh.getSession(SFTP_USER, HOST_ADDRESS, 22);
session.setPassword(passwordString);

So how could I store my credentials inside the APK file and secure them? I don’t want anyone to get access to my FTP server.

Advertisement

Answer

how could I store my credentials inside the APK file and secure them? I don’t want anyone to get access to my FTP server.

The stated problem cannot be solved.

It does not matter how clever your obfuscation technique is. If you hide fixed credentials in the APK file then someone who analyses your app is going to find them.

If you take only one thing from this answer, let it be that having a single, static password for your server is extremely problematic, as you’ll never be able to change the password server-side, because you’d break all the apps. It will be a matter of time before your password is public knowledge and there will be nothing you can do about it.

Any reasonable approach requires separate access credentials for every individual user.

A traditional user sign-up system that involves a confirmation email is a pretty good approach. You can use something like Google+ sign-in or Facebook Connect to minimize the hassle for the end user.

If you absolutely insist on having zero user interaction, an approach that might work (somewhat) is to have the app register for Google Cloud Messaging and then send it a push notification containing access credentials, which the app will store in the KeyChain.

If you generate a unique user ID and password for every app installation, you’ll be able to monitor the server and block any abusive access credentials without affecting any of the other users. If you somehow factor the code signing identity of the APK file into the process, you’ll have a basic defense against people repackaging your app. This approach will not protect you against an intelligent attacker, but it might raise the bar high enough for your purposes.

Also, regardless what you do, be sure to properly verify your server’s SSL certificate. If you don’t, an attacker will simply run your connection through a proxy server.

Advertisement