simple ways to hide java data files from curious users

[Krick]

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


....
Krick

 

[nos]

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


...
Krick

you can translate it to base64

 

[Tim Ward]

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.

(1) Include a checksum in the text file, don't publish the algorithm.

(2) On reading the file verify the checksum.

(3) If it's different put up a message telling the user to
- print off this form, which is a warranty disclaimer and an acceptance that
they've just broken their support contract
- get their boss to sign it
- snail-mail it to you
- wait for you to snail-mail back an activation password
at which point the application will continue running.

(MS used to do something with checksums for some of their text files that
weren't supposed to be user editable. They've given up. I can now edit the
files - this is an improvement.)

 

[Chris Smith]

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.

Depends on your requirements. Since you're describing your audience as
not very computer-saavy (and assuming that's not going to change as the
software evovles) I suspect any of the above would be fine. If you
don't know that, then all normal warnings about client-side security
will apply.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

 

[nos]

Depends on your requirements. Since you're describing your audience as
not very computer-saavy (and assuming that's not going to change as the
software evovles) I suspect any of the above would be fine. If you
don't know that, then all normal warnings about client-side security
will apply.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

you can also try rot-13 if they don't have emacs

 

[Jayaram]

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

So far, I can only come up with two options...

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.


#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.


...
Krick

# 2 is not too hard to implement.
Create a JAVA class having placeholders for all your configuration
parameters. Construt an object of the class with the required
settings, serialize it and dump it into a file.
Read the contents of the file back into the JAVA object upon pogram
startup.
Hava a look at java.io.Serializable, java.ibjectOutputStream and
java.ibjectInputStream.
Regards,
Jayaram

 

[nos]

(e-mail address removed) (Krick) wrote in message

# 2 is not too hard to implement.
Create a JAVA class having placeholders for all your configuration
parameters. Construt an object of the class with the required
settings, serialize it and dump it into a file.
Read the contents of the file back into the JAVA object upon pogram
startup.
Hava a look at java.io.Serializable, java.ibjectOutputStream and
java.ibjectInputStream.
Regards,
Jayaram

A sage once told me this:
Use binary, convert all the ones to zeros then remove repeated zeros
and output the result.

 

[Dale King]

Are there any simple ways to hide configuration files in my java
application from curious users?

Assume that my program loads a plain ascii text "key" file on startup
(properties, XML, ini, etc...) that determines what features of the
program are "unlocked" and available to the user.

How can I hide this file?

I gather that your purpose is not necessarily to make sure that the file is
not modified not so much to keep someone from seeing the contents.

So far, I can only come up with two options...

I count three ;-)

1) leave it all plain text put a CRC code in the file to detect
changes

2) scramble/encode/encrypt the file in some way

3) put the file inside a "key" jar.

#1 is pretty trivial to implement but probably gives away too much of
the inner workings of the program

#2 is harder to implement but probably more secure

#3 really isn't much of a deterrent unless there is a way to password
protect the jar. However, I don't think java is capable of opening
password protected jar files.

The answer is sort of a combination of 1 & 3. You add #2 if you want but
that is not necessary to detect modification. The answer is to put it in the
jar and sign the jar. Signing the jar generates digest entries which are
secure hashes of the files. The JVM will verify those and should refuse to
run your application.

See:
http://java.sun.com/docs/books/tutorial/jar/sign/index.html
http://java.sun.com/docs/books/tutorial/security1.2/index.html

 

[Jon A. Cruz]

The bottom line is that the target audience for the application is not
a particular computer savvy bunch so I doubt that there will be much
"hacking" going on. I just want to make it a little more difficult to
hack than just opening the file in notepad and changing things.

Just remember, all it takes is for one person to figure out the 'secret'
and start a 'tool' going around to the users.