Hello guys, if I'm in a scenario where i am connecting to a remote database from my desktop or mobile application, i know i will need the database URL, user name and password. My Question is how can i hide this information in my application so that someone cannot decompile my application and extract such data...any ideas??

Javanian: Hello guys, if I'm in a scenario where i am connecting to a remote database from my desktop or mobile application, i know i will need the database URL, user name and password. My Question is how can i hide this information in my application so that someone cannot decompile my application and extract such data...any ideas??

umm...DON'T connect to a database remotely over the internet from a desktop or mobile application.

The only time it is alright to connect to a database remotely over the internet is if whatever you are connecting from has a STATIC IP address (i.e. a server) and then the database user can then be configured to only accept incoming connections from that specific IP address (i.e. dbuser@123.23.23.12).

For anything else, you MUST keep a server middle-man between your database and your client applications.
This server can then be in charge of screening, dishing of info, etc. You can have this server as even a PHP script.

2buff: The only time it is alright to connect to a database remotely over the internet is if whatever you are connecting from has a STATIC IP address (i.e. a server) and then the database user can then be configured to only accept incoming connections from that specific IP address (i.e. dbuser@123.23.23.12).

1, By server you mean web server right?
2, by database user do you mean the client application or the database user on the server?
3, if question 1 is web server and question 2 is the database user on the server...How do i do the bolded??

Javanian:
1, By server you mean web server right?
2, by database user do you mean the client application or the database user on the server?
3, if question 1 is web server and question 2 is the database user on the server...How do i do the bolded??

man in the middle server... Best option

^ by man in the middle server...do you mean a web server that holds the database and the application connects to?? Can you please explain better??

2buff:

umm...DON'T connect to a database remotely over the internet from a desktop or mobile application.

The only time it is alright to connect to a database remotely over the internet is if whatever you are connecting from has a STATIC IP address (i.e. a server) and then the database user can then be configured to only accept incoming connections from that specific IP address (i.e. dbuser@123.23.23.12).

For anything else, you MUST keep a server middle-man between your database and your client applications.
This server can then be in charge of screening, dishing of info, etc. You can have this server as even a PHP script.

on point!

i have always been a big fan of tunneling through a web page which is what 2buff refers to as server middle man.
that way, you dont have to "hide" anything in your app, which is insecure in itself because your app can be decompiled.

.

Why don't you setup a config file or registry entry to ask for the information on the fly? this way no sensitive information is stored in your code. It is bad practice to store password, username etc in your code.

dell_net: Why don't you setup a config file or registry entry to ask for the information on the fly? this way no sensitive information is stored in your code. It is bad practice to store password, username etc in your code.

how?

As you would with a login screen then save the details to a file or registry on next startup the program will read from there.

^ Thanks, but if i save to a file or registry cant the data be accessed by someone else ?...

webdezzi:
on point!

i have always been a big fan of tunneling through a web page which is what 2buff refers to as server middle man.

please can you explain in detail how i can do this?

Javanian: ^ Thanks, but if i save to a file or registry cant the data be accessed by someone else ?...

you are right, it's not safe there also.
you cannot securely save stuff on the clientside

here is a neat approach,
setup a page that receives POSTs
so your app posts to this page, this page takes the post parameters and figure out what the app wants
the page connects to database, and fetches content, and prints out the content just like normal webpage does.

Most libraries that connect to urls always have a mechanism in place to fetch returned data.
so that way, you will have the database credentials on the webserver, away from prying eyes

e.g your app requests for http://yoursite.com/tunnel.php?what_to_fetch=users

on server
you check for the value of param what_to_fetch
if what_to_fetch=="users"
then build the logic to do just that

it's very hard this way for attackers to read a table you have not build a logic for, well except you are vulnerable to sql injection in your code
hope this helps

Well as said earlier you need a "middle-man" that will take the request and query the database.You should look at n-tier applications.

@webdezzi Thanks once again i am getting a clearer picture now...Can the page be in any language?

Javanian:
1, By server you mean web server right?
2, by database user do you mean the client application or the database user on the server?
3, if question 1 is web server and question 2 is the database user on the server...How do i do the bolded??

1. I mean any server. But yes, a web server will do too. (If this is for that your project, I would recommend nginx and not Apache as that's a huge resource hog)
2. I mean the database user on the server DB.
3. When you create a user for your database (e.g MySQL), you can specify where exactly that user is only permitted to connect from.
The query to create this user would be something like:
GRANT ALL PRIVILEGES ON *.* TO 'my_user'@'localhost' IDENTIFIED BY 'password';

my_user is the user you are creating, localhost is the only IP permitted to connect to this Database with this user, so in this case, it will only accept connections from the same machine. It's best to keep all your dbusers as localhosts unless you have a server on another machine and you create a user for that server that explicitly only allows a connection from that server's IP address.

^ Thanks alot...

Javanian: @webdezzi Thanks once again i am getting a clearer picture now...Can the page be in any language?

Javanian:

Yes. Research on how to manually form a post request to a server.

^ Thanks again

2buff:

1. I mean any server. But yes, a web server will do too. (If this is for that your project, I would recommend nginx and not Apache as that's a huge resource hog)
2. I mean the database user on the server DB.
3. When you create a user for your database (e.g MySQL), you can specify where exactly that user is only permitted to connect from.
The query to create this user would be something like:
GRANT ALL PRIVILEGES ON *.* TO 'my_user'@'localhost' IDENTIFIED BY 'password';

my_user is the user you are creating, localhost is the only IP permitted to connect to this Database with this user, so in this case, it will only accept connections from the same machine. It's best to keep all your dbusers as localhosts unless you have a server on another machine and you create a user for that server that explicitly only allows a connection from that server's IP address.

nice post and very precise
i'll stick to the below anyday

GRANT SELECT, INSERT, DELETE, UPDATE ON *.* TO 'my_user'@'localhost' IDENTIFIED BY 'password';

a little sanitation mistake can lead to a deadly "union select 1,2,3,4,5,'<phpcodes>' into outfile '/var/www/html/backdoor.php'"

@webdezzi and @2buff the HTTP POST/GET is it similar to what was used on this site for their API http://new.smslive247.com/developer_api/http.aspx ??

yes. but you really want to stick with POST
reading the server visitor log could expose you login data in the url
and it's a good practice to authenticate over ssl, get token, and do the rest over normal http if you desire.

^ Thanks once again

Javanian: ^ Thanks once again

So did you get this to work? I read all the posts and I was wondering if the posts here tell you exactly how things are done in the real world? Are you posters real life devs? To the poster, I have no idea if you figured out a working solution but I will be brief:

1. Server sides scripting (with LAMP, not Windows server, ASP.net) requires you to know PHP, MySQL and Linux. You must be reasonably proficient or can learn these things to solve your problem.

2. In order to accomplish your objective, in a professional environment, you will create a file of possible commands that your app supports. E.g. a command to upload pictures a server, send a message, etc. This file will rely on a few very important resources: a file that contains the login to your MySQL database, username, password, etc as well as a routine that will build SQL queries by looking at the parameters you pass to the function. Then, you will need a file that actually contains the sets of statements to be executed for each command. These 2 files should be included with a "requires" statement just like you use "include" or "import" header files in C++, Java or Objective C.

3. On your mobile app, you will need a class that is a singleton which deals with every communication with your server side API. It is this class you will call every time whenever you want the user of the phone to authenticate, register, upload a picture etc to the server. You do not keep any password files in your app or anything like that. To solve your problem of passwords for example, you will have a form which the user puts his username and password. In the class implementing the same authentication, you will have a "Salting" string and the right frameworks with which you will call to encrypt the password. After salting it, then you call your singleton class to initiate a request to your server and your password or whatever information you want to send is sent encrypted.

4. Your server, remember that I mentioned you have a file of acceptable commands on the server, will accept this request and see if you have sent a valid command, with the correct parameters. In this case, a register command would be valid and it will pass that that request to the other files which will process it and return a result back to the client (app) as either JSON or XML. Note that "Salting" or cryptography is a deep subject and your implementation may not necessarily be gold standard but you would easily solve your problem and exclude a very high percentage that your login details can be compromised while on your phone, in transmission or on the server. If you look at salted passwords while on a server, you can never know what it is and as an example, look at this: 'C@
C2Õå€?WBXºf¹û²í. The actual password is "yttdc".

I hope this gives you a clearer picture.