4

I have done some android programming (self taught). I have started working on an app idea. The idea is pretty much that people with the app installed can post pictures/videos and text which can be seen by everyone with the app.

I have purchased a hosting (working on making my own webpage), which has a lot of disk space, so I thought about using that. It seems pretty easy to add files using some sample FTP code I found online.

My biggest fear is in regards to security. Not as much about the files being put there (because anyone who installs the app will be able to see it anyway) but mostly if they would be able to get the server address, username and password in some way, which would give them access to add and remove other files from the hosting.

Is this a legitimate fear? Is there a danger of that? If yes, what should I look into as an alternative?

EDIT: Sorry if I wasn't very clear. My fear is if they could get their hands on my username and password, which would be somewhere in the java code (and if so, how to avoid this)

Marshall
  • 143
  • 5
  • So you're worried about someone breaking into the server? Or the application. Can you try to reassemble your thoughts? I think I know what you're asking, but it's a little jumbled. – Ohnana Feb 23 '15 at 18:38
  • my fear is if they could get their hands on my username and password, which would be somewhere in the java code (and if so, how to avoid this). – Marshall Feb 23 '15 at 18:50
  • I see. Can you edit your question to reflect that? That's a whole different ballgame :) – Ohnana Feb 23 '15 at 19:05

1 Answers1

1

Easiest attach vector is to sniff the FTP traffic. As FTP is a plain-text protocol, anyone with a network sniffer or a compromised router, or in an open wifi, will be able to capture app's FTP credentials without even breaking a sweat. So, make sure you use at least SFTP.

Jari Huttunen
  • 600
  • 1
  • 6
  • 8
  • 2
    And if you use SFTP the connectivity details can most likely be extracted from the apk. I would steer away from using global credentials in you app and stick to HTTP based form uploads. – wireghoul Feb 23 '15 at 19:51
  • Thanks guys. My hosting service wants an extra fee (outside my budget) for SSL. Therefore the HTTP seems like a good solution. What are the security concerns if I make it HTP based upload? – Marshall Feb 24 '15 at 07:04
  • 1
    HTTP is open as FTP so everybody can see what you are doing, steal accounts and upload files. SSL normally cost money but you can get a free SSL certificate yourself. Maybe your hoster will add this for free. – PiTheNumber Feb 25 '15 at 08:53
  • Other people seeing what you are uploading shouldn't be a problem, because they could always just download the app and see the pictures there. Could you explain what you mean with steal accounts? And about the other point (upload): Isn't there a way to make it so only the people with the app can upload files? – Marshall Feb 25 '15 at 10:47