simple ways to hide java data files from curious users


K

Krick

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


....
Krick
 
Ad

Advertisements

N

nos

Krick said:
Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


...
Krick

you can translate it to base64
 
T

Tim Ward

Krick said:
The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.

(1) Include a checksum in the text file, don't publish the algorithm.

(2) On reading the file verify the checksum.

(3) If it's different put up a message telling the user to
- print off this form, which is a warranty disclaimer and an acceptance that
they've just broken their support contract
- get their boss to sign it
- snail-mail it to you
- wait for you to snail-mail back an activation password
at which point the application will continue running.

(MS used to do something with checksums for some of their text files that
weren't supposed to be user editable. They've given up. I can now edit the
files - this is an improvement.)
 
C

Chris Smith

Krick said:
So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.

Depends on your requirements. Since you're describing your audience as
not very computer-saavy (and assuming that's not going to change as the
software evovles) I suspect any of the above would be fine. If you
don't know that, then all normal warnings about client-side security
will apply.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation
 
N

nos

Chris Smith said:
Depends on your requirements. Since you're describing your audience as
not very computer-saavy (and assuming that's not going to change as the
software evovles) I suspect any of the above would be fine. If you
don't know that, then all normal warnings about client-side security
will apply.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

you can also try rot-13 if they don't have emacs
 
J

Jayaram

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


...
Krick

# 2 is not too hard to implement.
Create a JAVA class having placeholders for all your configuration
parameters. Construt an object of the class with the required
settings, serialize it and dump it into a file.
Read the contents of the file back into the JAVA object upon pogram
startup.
Hava a look at java.io.Serializable, java.io_ObjectOutputStream and
java.io_ObjectInputStream.
Regards,
Jayaram
 
Ad

Advertisements

N

nos

Jayaram said:
(e-mail address removed) (Krick) wrote in message

# 2 is not too hard to implement.
Create a JAVA class having placeholders for all your configuration
parameters. Construt an object of the class with the required
settings, serialize it and dump it into a file.
Read the contents of the file back into the JAVA object upon pogram
startup.
Hava a look at java.io.Serializable, java.io_ObjectOutputStream and
java.io_ObjectInputStream.
Regards,
Jayaram

A sage once told me this:
Use binary, convert all the ones to zeros then remove repeated zeros
and output the result.
 
D

Dale King

Krick said:
Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

I gather that your purpose is not necessarily to make sure that the file is
not modified not so much to keep someone from seeing the contents.
So far, I can only come up with two options...

I count three ;-)
1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.

#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The answer is sort of a combination of 1 & 3. You add #2 if you want but
that is not necessary to detect modification. The answer is to put it in the
jar and sign the jar. Signing the jar generates digest entries which are
secure hashes of the files. The JVM will verify those and should refuse to
run your application.

See:
http://java.sun.com/docs/books/tutorial/jar/sign/index.html
http://java.sun.com/docs/books/tutorial/security1.2/index.html
 
Ad

Advertisements

J

Jon A. Cruz

Krick said:
The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.

Just remember, all it takes is for one person to figure out the 'secret'
and start a 'tool' going around to the users.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top