10

I wrote a game which stores high score information on an ftp server. In the the source code I need to write out the ftp link with the account name and password in it.

For example:

url = new URL("ftp://name:password@www.mywebsite.com/");

This is java, btw. In the class file strings are preserved as they are written in the source code. So if someone were able to read the class file the could find this string, ftp://name:password@www.mywebsite.com/, with the user name and password in plain sight, as plain as slight gets in a class file anyway.

What would be an appropriate way to secure the user name and password?

Edit:

I made an encryption class in java and replaced the name and password with calls to the encrypter with an encrypted user name and password for example:

url = new URL("ftp://Crypter.crypt("q345uih34",3)+:+Crypter.crypt("nfk3iugr29o8",-2)+@www.mywebsite.com/");

Would this be sufficient? And I wasn't sure if obfuscation was the best solutions though.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
Ryan Stull
  • 273
  • 3
  • 11
  • 1
    Rats, welcome to the site! – AviD Jul 07 '11 at 09:43
  • 3
    I will ask the question I do not see... Why are you storing highscore information on an FTP server instead of in a database? And using a webservice to make that submission. – Chad Jul 07 '11 at 14:58

4 Answers4

18

There are a number of attack vectors in this scenario, so just hiding the password will not help:

  • any code that you give away to people can be manipulated. This means that an attacker can just set his high score to an arbitrary value
  • ftp, in the way you use it, is unencrypted, so the complete communication will show up in a network sniffer such as Wireshark
  • the attacker can just set a breakpoint on the constructor of the URL class (very simple but a bit annoying because there are usually many calls to new URL().
  • the attacker can decompile the source code and search for "new URL", obfuscating will not help because this method is part of the Java API and therefore cannot be obfuscated. If he cannot understand the source code, he can add debug output or just place the breakpoint at a better place.
  • the attacker can use byte code enhancing to add a logging message to the constructor of the URL class

So it does not really matter how and where you hide your ftp password.

The only good solution is to have a server which does the highscore calculation itself (and even this way has the issue of bots). You should at least use a protocol that supports encryption (https, sftp, ftps). You need to ensure that someone who learns the credentials cannot destroy the high score data of other users. This can be done by tight permissions that allow only the creation of new files in the ftps/sftp-server or by using a web application that accepts the data and store it itself.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • +1, but I dont think you meant ftps...? See http://security.stackexchange.com/questions/858/sftp-ftps-and-secureftp-differences-and-security-implications – AviD Jul 07 '11 at 09:47
  • I know the difference. I hate ftps for it's firewall infriendlyness, that's why I named it last. – Hendrik Brummermann Jul 07 '11 at 10:17
  • Also - bundling the account information into built code means you cannot ever change the account or its password without redistributing all that code. This means that any break in will be difficult, if not impossible, to recover from. – bethlakshmi Jul 11 '11 at 20:12
8

FTP is the probably the wrong way to go about this. It's a clear text protocol so anyone with a sniffer can intercept the authentication request and extract the credentials, no matter how much you obfuscate them in the program.

john
  • 10,968
  • 1
  • 36
  • 43
  • Is there an alternative way of storing files online? – Ryan Stull Jul 07 '11 at 03:51
  • @Rats, why don't you store this information in part of the application's persistent state (e.g., a database, or a file on the filesystem)? – D.W. Jul 07 '11 at 04:21
  • 1
    @Rats, if it has to be online storage, SFTP or ssh+ftp are more secure ways of getting content. However, I would refrain from using ssh+ftp if your credentials are not safe inside the software. – Mike Jul 07 '11 at 08:54
  • 1
    @mike @rats If you have the option, set up an RSA public/private keypair that the program can use to connect with SFTP to the server. That way the source code can't tell them anything beyond - at *best* - where to look for the key. They'd still have to compromise the actual server to get to it. – Shadur Jul 07 '11 at 12:03
  • @Shadur That's actually a great idea! – Mike Jul 07 '11 at 13:24
  • @Shadur but the keys would still be accessible to the client? – AviD Jul 08 '11 at 08:33
3

Why can't you just send some key/value pairs to your server as a $post request with some sort of authentication to ensure it's not manipulated?

niggles
  • 139
  • 3
  • Hi @niggles, welcome to the site. You are on the right track, attempting to ensure the integrity of the transmission, but a HTTP POST provides no more security than FTP RETR. The question calls for a method of transmitting data to remote server without exposing the credentials for access. – this.josh Jul 07 '11 at 06:32
  • I would even forgo the authentication, just have anonymous posts, and store those (after validation, of course). This assumes that "cheating" won't be a terrible issue, if it is than you'd need to have users login to the site with their own passwords. – AviD Jul 07 '11 at 09:49
-2

Heavy obfuscation, Google suggestion breaking any potentially important information into chucks and storing it random places. I'd just suggest making a really simple database, with a really simple web app. App Engine has a free quota based Java web hosting. There are other free web hosts that will do what you need.

Storing credentials in a program however WILL bite you in the ass.

Colton
  • 109
  • 8
    Hi @Sparksis, welcome to the site. I appreciate your attempt to contribute, but your answer is weak from a security perspective. Obfuscation tends to require just as much work as more secure solutions and provides much less benefit. Your solution introduces additional components without considering the security required for each component. Databases need security and web applications need security. However you are correct that it is bad practice to store credential in a program. – this.josh Jul 07 '11 at 06:16