在Java中混淆​​连接字符串

Question

I've made a little program with Java and the library ojdbc14. I've obfuscated with proguard the jar file but if I unzip the program and I check some classes I see easily the connection string of my database connection. Someone could help to obfuscate these connection string? Thanks and sorry for my English!

Answer 1

One easy solution would be to base64 encode the string literal and unencode it when you need to use it. That way, it wouldn't be visible in plain text.

The Apache Commons library has a utility you can use, and it's built in to Java 8 .

Answer 2

Instead of

String secret = "secret";

do

String alpha = "sce"; // odd letters
String beta = "fsu"; // even letters + 1
StringBuilder secret = new StringBuilder();
for (int i = 0; i < alpha.length() + beta.length(); ++i) {
    if (i % 2 == 1) {
        secret.append(alpha.charAt(i / 2);
    } else {
        secret.append((char)(beta.charAt(i / 2) - 1);
    }
}

You get the idea.

Answer 3

I suggest you encrypt your connection string and keep the secret key outside the JAR. Make your program code contain a byte[] initialized with the encrypted bytes.

If you don't want any secret key external to the JAR, then your only option is "security through obscurity". You can, for example, devise some seemingly complex routine which will produce the encryption key at runtime. For example, seed the random number generator with a fixed seed, then take a few numbers from it.

A poor man's encryption approach is a simple XOR. You can generate the fixed pseudorandom sequence and use that to XOR each byte of your connection string:

byte[] password = "password".getBytes(StandardCharsets.UTF_8);
Random rnd = new Random(204862727);
for (int i = 0; i < password.length; i++)
  password[i] ^= rnd.nextInt();
// at this point password contains bytes which you would hardcode into your JAR
System.out.println("Encrypted: "+new String(password, StandardCharsets.UTF_8));
rnd = new Random(204862727);
for (int i = 0; i < password.length; i++)
  password[i] ^= rnd.nextInt();
System.out.println("Decrypted: "+new String(password, StandardCharsets.UTF_8));

On my system, this prints

Encrypted: �ع�gO�
Decrypted: password

Answer 4

Obfuscation has the sole purpose of not letting others easily steal your code. After the binary has been obfuscated, another programmer will find it more difficult to modify and resell your code, or make your program behave differently than you intended (by the way, Proguard also removes dead code, and probably makes other optimizations I cannot recall just now).

There's no value in hiding constants in source code. You could find billions of fancy ways, but what's the purpose? Once the attacker has the code, it will not inspect thousands of .class files: instead, if all she wants is seeing the connection string, she will just attach a debugger. set a breakpoint (the JDBC stack is not obfuscated) and wait for your program to reconstruct the connection string.

Obfuscation is not encryption. If you don't want to ship the connection string with your app (maybe because it contains a secret), then just require the secret to the user interactively at boot time, or read from some location which is marked "safe".