safe password storing in compiled app

I have user name and password for web service that app connect to. If I open compiled app with HexEdit I can find user name and password in plain text.
What would be best way to hide this 2 parameters?

store them in MD5 or RSA or SHA they are available in xojo framework

you can also find the RC4 algorithm on this forum.

[code]Public Function RC4(strData as string, strKey as String) as String
'RC4 is symmetric. That means you use the same function to decrypt as to encrypt.
’ from

Dim MM as MemoryBlock = strData
Dim MM2 as New MemoryBlock(LenB(strData))
dim memAsciiArray(255) as integer
dim memKeyArray(255) as integer
dim memJump as integer
dim memTemp as integer
dim memY as integer
dim intKeyLength as integer
dim intIndex as integer
dim intT as integer
dim intX as integer

intKeyLength = len(strKey)

for intIndex = 0 to 255
memKeyArray(intIndex) = asc(mid(strKey, ((intIndex) mod (intKeyLength)) + 1, 1))

for intIndex = 0 to 255
memAsciiArray(intIndex) = intIndex

for intIndex = 0 to 255
memJump = (memJump + memAsciiArray(intIndex) + memKeyArray(intIndex)) mod 256
memTemp = memAsciiArray(intIndex)
memAsciiArray(intIndex) = memAsciiArray(memJump)
memAsciiArray(memJump) = memTemp

intIndex = 0
memJump = 0

for intX = 1 to MM2.Size
intIndex = (intIndex + 1) mod 256
memJump = (memJump + memAsciiArray(intIndex)) mod 256
intT = (memAsciiArray(intIndex) + memAsciiArray(memJump)) mod 256
memTemp = memAsciiArray(intIndex)
memAsciiArray(intIndex) = memAsciiArray(memJump)
memAsciiArray(memJump) = memTemp
memY = memAsciiArray(intT)
mm2.Byte(intX - 1) = bitwise.bitxor(val("&h" + hex(MM.byte(IntX - 1))), bitwise.bitxor(memTemp,memY))

return MM2
End Function

You can also chop the name and password up into pieces.
Pad with rubbish characters.

It doesnt need to be complicated

eg if your password is 27%@JgmHSJHGS

You can store KIJgmHSJHGS in one variable and PK27%@ in another, discard the first two characaters and sticth the two parts back together.

It would be pretty unlikely that anyone would recognise those as passwords, unless your passwords are ‘Password1’

I will try this booth of answers in one solution so strKey won’t be in pure text.
Perhaps I could join few different variables and make MD5 and use only few parts of is as password?

You only have to code it so it will be difficult for the averae user to pirate it. This does not have to take long time to achive (minutes).

Joe Pirate will spend as much time as needed to break your anti-pirate measures, whatever time you waste to create your anti-piracy code.

So, keep it as simple as possible to not waste your valuable time.

Yes this is true. I only don’t want to see passwords in plain text in app.
If someone is determined to break the code he will.

You can use the “Hide Serial Number” example coming with MBS Plugins.

e.g. it makes from “Hello World” this:

// “Hello World”, “xx”, 0, 0

[code]dim n7 as string=“H”
dim s3 as integer=74
dim n8 as integer=108
dim s4 as integer=90
dim e5 as integer=0
dim e3 as integer=60
dim s1 as integer=0
dim e1 as integer=0
dim s5 as integer=0
dim name as string
dim e2 as integer=0
dim n4 as string=“o”
dim n3 as integer=111
dim n11 as string=“r”
dim n2 as integer=101
dim serial as integer
dim n5 as integer=32
dim p1 as integer=120
dim n6 as string=“l”
dim p2 as integer=120
dim n1 as string=“l”
dim e4 as integer=38
dim n10 as string=“d”
dim product as string
dim n9 as integer=87
dim s2 as integer=0

name = n7+encodings.utf8.chr(n2)+encodings.utf8.chr(n8)+n6+encodings.utf8.chr(n3)+encodings.utf8.chr(n5)+encodings.utf8.chr(n9)+n4+n11+n1+n10

as long as Xojo doesn’t optimize all away, this could be difficult to debug.

Kem wrote an IDE script that obfuscates right in the IDE, you just select the text and run the IDE script.
I modified it a little bit for my own usage, and to correct the over-spacing in the output :wink:

I don’t know where the original post is, but here’s the IDE script: Kem’s Obfuscate.xojo_script

Personally I’d never put the entire thing in one method / property / constant
Break it up so there are chunks in different places accessed via different mechanisms and ONLY assemble it for the VERY short time you ever need it and destroy / overwrite that variable when you no longer need the password
That way unless someone is stepping through your code in LLDB / GDB they wont have it except for that very very short time

And watch Kems talk on basically hiding things in plain sight from XDC2015 (I think it was 2015 he did this talk)

But the reality is you should never store a password IN your code if you can avoid it

[quote=302577:@John Walker]I have user name and password for web service that app connect to. If I open compiled app with HexEdit I can find user name and password in plain text.
What would be best way to hide this 2 parameters?[/quote]

Does it actually matter??? If I can get your binary I have your credentials in any case and can access the service. Once I have the binary, a network sniffer and perhaps having to base64 decode the strings will most likely get me the credentials as well.

You have 1 option: Don’t do what you’re trying to do. It won’t help in any way. A network sniffer will get your credentials in no time.

Best thing to do: Create an intermediate service (like a serverapp or a REST API), you communicate with your own API, your API (running on a remote computer, uses the webservice with the credentials you’re trying to hide.)

All other ‘ways of hiding’ will fail, always.

As a matter of principle, one should assume that a password inside code will always be found, no matter the precautions. Hackers are often very good, they are well organized, share their discoveries among their community, and have all the time they want to crack your patiently crafted code.

Do what you can to prevent regular users to access that. If the server you access is sensitive, don’t place the password in the code and find a way to pass responsibility to connect to the user, with one password for each user.

At any rate, the second you give access to a password protected server to the public, you know you are losing some security.

A determined hacker will get it.

Simply encrypt it to hide it from the casual and mid level hackers…

I have a simple web tool to do it here. Don’t worry, I don’t log anything.

As everybody else has said, somebody that really wants to will get the string. All you can do is make it less obvious.


A couple more points… skip the MD5 idea it’s a one way hash and won’t help in storing your password (assuming you eventually want to recover the actual password).

Also you didn’t say whether you’ll always know the password when you build your app, or whether you or your users will want/need to change it later. This obviously will affect how you encrypt the password and where you store it. Encrypting it and storing in in your prefs file can accommodate both requirements.

[quote=302766:@Joe Huber]A determined hacker will get it.

Simply encrypt it to hide it from the casual and mid level hackers…[/quote]

very true. But it comes down to the point of effort vs reward. If the effort required to get the serial number or password or whatever secret costs more than the reward, they will give up. If the effort is less than the value of the reward then they will go for it. is another way to obfuscate strings in your app. It’s free!

Thank you for reply. This is interesting topic. After reading everything you posted I’ve decided to try following approach. I have SQLite which hold some parameters I will encrypt it with password and add password for service in it. Password for SQLite will be “hidden” in app with obfuscate function, after loading and using password I will destroy it. This is pretty simple to achieve.
Network sniffer won’t help a lot since all communication is encrypted with SSL. I know it is still possible to get password from memory the moment it is created, but is a bit more difficult and involve few more steps.

Thanks Bob, very nice tool, but there is a problem with accents…

Apart from trying to hide a password, there may be other methods if this is a critical application.

The major question to figure out a safe way is to clarify who may know the database pw and who may not.

E.g, may the people who are authorized to use the computer also know the db password? In that case, the pw could be stored in the Keychain (Mac only) or in some other way be encrypted on that Mac so that the user would have to enter a password to reveal the db password. That way, someone who steals the computer will not be able to figure out the db password unless he also knows the user’s access password to reveal it.

If the password should not even be known to the users, a SmartCard could be used to store the password, and then the program would read it from the smartcard when the password is needed. This, of course, would require some extra hardware, as well as someone who programs the smartcard accordingly.

Both methods, however, mean that an attacker could still find out the password if he’d install a program on that computer that traces the network traffic (because he’ll see it before it gets SSL-encrypted).

To make this even safer, the password would not be revealed on the user’s computer at all, but a remote computer would know it, and that remote computer would then perform the login with the web service. Then the challenge is to make sure that this remote computer cannot be hacked. Your program on the end user’s computer would then connect to this remote computer, and log in there with the usual methods. Of course, this also can get hacked if the attacker is one of the end users with a login to the remote computer or if the attacker gets such a login somehow. Again, a smartcard can make this safer at the cost of more hardware and programming efforts.