simple ways to hide java data files from curious users

Discussion in 'Java' started by Krick, Feb 26, 2004.

  1. Krick

    Krick Guest

    Are there any simple ways to hide configuration files in my java
    application from curious users?

    Assume that my program loads a plain ascii text "key" file on startup
    (properties, XML, ini, etc...) that determines what features of the
    program are "unlocked" and available to the user.

    How can I hide this file?

    So far, I can only come up with two options...

    1) leave it all plain text put a CRC code in the file to detect
    changes

    2) scramble/encode/encrypt the file in some way

    3) put the file inside a "key" jar.


    #1 is pretty trivial to implement but probably gives away too much of
    the inner workings of the program

    #2 is harder to implement but probably more secure

    #3 really isn't much of a deterrent unless there is a way to password
    protect the jar. However, I don't think java is capable of opening
    password protected jar files.

    The bottom line is that the target audience for the application is not
    a particular computer savvy bunch so I doubt that there will be much
    "hacking" going on. I just want to make it a little more difficult to
    hack than just opening the file in notepad and changing things.


    ....
    Krick
     
    Krick, Feb 26, 2004
    #1
    1. Advertising

  2. Krick

    nos Guest

    "Krick" <> wrote in message
    news:...
    > Are there any simple ways to hide configuration files in my java
    > application from curious users?
    >
    > Assume that my program loads a plain ascii text "key" file on startup
    > (properties, XML, ini, etc...) that determines what features of the
    > program are "unlocked" and available to the user.
    >
    > How can I hide this file?
    >
    > So far, I can only come up with two options...
    >
    > 1) leave it all plain text put a CRC code in the file to detect
    > changes
    >
    > 2) scramble/encode/encrypt the file in some way
    >
    > 3) put the file inside a "key" jar.
    >
    >
    > #1 is pretty trivial to implement but probably gives away too much of
    > the inner workings of the program
    >
    > #2 is harder to implement but probably more secure
    >
    > #3 really isn't much of a deterrent unless there is a way to password
    > protect the jar. However, I don't think java is capable of opening
    > password protected jar files.
    >
    > The bottom line is that the target audience for the application is not
    > a particular computer savvy bunch so I doubt that there will be much
    > "hacking" going on. I just want to make it a little more difficult to
    > hack than just opening the file in notepad and changing things.
    >
    >
    > ...
    > Krick


    you can translate it to base64
     
    nos, Feb 27, 2004
    #2
    1. Advertising

  3. Krick

    Tim Ward Guest

    "Krick" <> wrote in message
    news:...
    >
    > The bottom line is that the target audience for the application is not
    > a particular computer savvy bunch so I doubt that there will be much
    > "hacking" going on. I just want to make it a little more difficult to
    > hack than just opening the file in notepad and changing things.


    (1) Include a checksum in the text file, don't publish the algorithm.

    (2) On reading the file verify the checksum.

    (3) If it's different put up a message telling the user to
    - print off this form, which is a warranty disclaimer and an acceptance that
    they've just broken their support contract
    - get their boss to sign it
    - snail-mail it to you
    - wait for you to snail-mail back an activation password
    at which point the application will continue running.

    (MS used to do something with checksums for some of their text files that
    weren't supposed to be user editable. They've given up. I can now edit the
    files - this is an improvement.)

    --
    Tim Ward
    Brett Ward Limited - www.brettward.co.uk
     
    Tim Ward, Feb 27, 2004
    #3
  4. Krick

    Chris Smith Guest

    Krick wrote:
    > So far, I can only come up with two options...
    >
    > 1) leave it all plain text put a CRC code in the file to detect
    > changes
    >
    > 2) scramble/encode/encrypt the file in some way
    >
    > 3) put the file inside a "key" jar.


    Depends on your requirements. Since you're describing your audience as
    not very computer-saavy (and assuming that's not going to change as the
    software evovles) I suspect any of the above would be fine. If you
    don't know that, then all normal warnings about client-side security
    will apply.

    --
    www.designacourse.com
    The Easiest Way to Train Anyone... Anywhere.

    Chris Smith - Lead Software Developer/Technical Trainer
    MindIQ Corporation
     
    Chris Smith, Feb 27, 2004
    #4
  5. Krick

    nos Guest

    "Chris Smith" <> wrote in message
    news:4.net...
    > Krick wrote:
    > > So far, I can only come up with two options...
    > >
    > > 1) leave it all plain text put a CRC code in the file to detect
    > > changes
    > >
    > > 2) scramble/encode/encrypt the file in some way
    > >
    > > 3) put the file inside a "key" jar.

    >
    > Depends on your requirements. Since you're describing your audience as
    > not very computer-saavy (and assuming that's not going to change as the
    > software evovles) I suspect any of the above would be fine. If you
    > don't know that, then all normal warnings about client-side security
    > will apply.
    >
    > --
    > www.designacourse.com
    > The Easiest Way to Train Anyone... Anywhere.
    >
    > Chris Smith - Lead Software Developer/Technical Trainer
    > MindIQ Corporation


    you can also try rot-13 if they don't have emacs
     
    nos, Feb 27, 2004
    #5
  6. Krick

    Jayaram Guest

    (Krick) wrote in message news:<>...
    > Are there any simple ways to hide configuration files in my java
    > application from curious users?
    >
    > Assume that my program loads a plain ascii text "key" file on startup
    > (properties, XML, ini, etc...) that determines what features of the
    > program are "unlocked" and available to the user.
    >
    > How can I hide this file?
    >
    > So far, I can only come up with two options...
    >
    > 1) leave it all plain text put a CRC code in the file to detect
    > changes
    >
    > 2) scramble/encode/encrypt the file in some way
    >
    > 3) put the file inside a "key" jar.
    >
    >
    > #1 is pretty trivial to implement but probably gives away too much of
    > the inner workings of the program
    >
    > #2 is harder to implement but probably more secure
    >
    > #3 really isn't much of a deterrent unless there is a way to password
    > protect the jar. However, I don't think java is capable of opening
    > password protected jar files.
    >
    > The bottom line is that the target audience for the application is not
    > a particular computer savvy bunch so I doubt that there will be much
    > "hacking" going on. I just want to make it a little more difficult to
    > hack than just opening the file in notepad and changing things.
    >
    >
    > ...
    > Krick


    # 2 is not too hard to implement.
    Create a JAVA class having placeholders for all your configuration
    parameters. Construt an object of the class with the required
    settings, serialize it and dump it into a file.
    Read the contents of the file back into the JAVA object upon pogram
    startup.
    Hava a look at java.io.Serializable, java.io_ObjectOutputStream and
    java.io_ObjectInputStream.
    Regards,
    Jayaram
     
    Jayaram, Feb 27, 2004
    #6
  7. Krick

    nos Guest

    "Jayaram" <> wrote in message
    news:...
    > (Krick) wrote in message

    news:<>...
    > > Are there any simple ways to hide configuration files in my java
    > > application from curious users?
    > >
    > > Assume that my program loads a plain ascii text "key" file on startup
    > > (properties, XML, ini, etc...) that determines what features of the
    > > program are "unlocked" and available to the user.
    > >
    > > How can I hide this file?
    > >
    > > So far, I can only come up with two options...
    > >
    > > 1) leave it all plain text put a CRC code in the file to detect
    > > changes
    > >
    > > 2) scramble/encode/encrypt the file in some way
    > >
    > > 3) put the file inside a "key" jar.
    > >
    > >
    > > #1 is pretty trivial to implement but probably gives away too much of
    > > the inner workings of the program
    > >
    > > #2 is harder to implement but probably more secure
    > >
    > > #3 really isn't much of a deterrent unless there is a way to password
    > > protect the jar. However, I don't think java is capable of opening
    > > password protected jar files.
    > >
    > > The bottom line is that the target audience for the application is not
    > > a particular computer savvy bunch so I doubt that there will be much
    > > "hacking" going on. I just want to make it a little more difficult to
    > > hack than just opening the file in notepad and changing things.
    > >
    > >
    > > ...
    > > Krick

    >
    > # 2 is not too hard to implement.
    > Create a JAVA class having placeholders for all your configuration
    > parameters. Construt an object of the class with the required
    > settings, serialize it and dump it into a file.
    > Read the contents of the file back into the JAVA object upon pogram
    > startup.
    > Hava a look at java.io.Serializable, java.io_ObjectOutputStream and
    > java.io_ObjectInputStream.
    > Regards,
    > Jayaram


    A sage once told me this:
    Use binary, convert all the ones to zeros then remove repeated zeros
    and output the result.
     
    nos, Feb 27, 2004
    #7
  8. Krick

    Dale King Guest

    "Krick" <> wrote in message
    news:...
    > Are there any simple ways to hide configuration files in my java
    > application from curious users?
    >
    > Assume that my program loads a plain ascii text "key" file on startup
    > (properties, XML, ini, etc...) that determines what features of the
    > program are "unlocked" and available to the user.
    >
    > How can I hide this file?


    I gather that your purpose is not necessarily to make sure that the file is
    not modified not so much to keep someone from seeing the contents.

    > So far, I can only come up with two options...


    I count three ;-)

    > 1) leave it all plain text put a CRC code in the file to detect
    > changes
    >
    > 2) scramble/encode/encrypt the file in some way
    >
    > 3) put the file inside a "key" jar.
    >
    > #1 is pretty trivial to implement but probably gives away too much of
    > the inner workings of the program
    >
    > #2 is harder to implement but probably more secure
    >
    > #3 really isn't much of a deterrent unless there is a way to password
    > protect the jar. However, I don't think java is capable of opening
    > password protected jar files.


    The answer is sort of a combination of 1 & 3. You add #2 if you want but
    that is not necessary to detect modification. The answer is to put it in the
    jar and sign the jar. Signing the jar generates digest entries which are
    secure hashes of the files. The JVM will verify those and should refuse to
    run your application.

    See:
    http://java.sun.com/docs/books/tutorial/jar/sign/index.html
    http://java.sun.com/docs/books/tutorial/security1.2/index.html

    --
    Dale King
     
    Dale King, Feb 27, 2004
    #8
  9. Krick

    Jon A. Cruz Guest

    Krick wrote:
    > The bottom line is that the target audience for the application is not
    > a particular computer savvy bunch so I doubt that there will be much
    > "hacking" going on. I just want to make it a little more difficult to
    > hack than just opening the file in notepad and changing things.


    Just remember, all it takes is for one person to figure out the 'secret'
    and start a 'tool' going around to the users.
     
    Jon A. Cruz, Feb 28, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. contrex
    Replies:
    2
    Views:
    326
  2. Rodney Edmondson
    Replies:
    11
    Views:
    658
    Jeremy
    Dec 9, 2003
  3. Sam Iam
    Replies:
    6
    Views:
    3,991
    satdmail
    Jul 19, 2006
  4. codefire

    Curious issue with simple code

    codefire, Sep 19, 2006, in forum: Python
    Replies:
    10
    Views:
    455
    John Machin
    Sep 20, 2006
  5. Scott Sauyet

    Best ways to hide implementation details

    Scott Sauyet, Feb 2, 2010, in forum: Javascript
    Replies:
    17
    Views:
    223
    Scott Sauyet
    Feb 4, 2010
Loading...

Share This Page