Best IT Recipes

Safe to enter a password in a mobile application.

I have a web server that creates a QR code that is [username] + hash message md5 [username] [password]. Where [username] the user logged in at that time. Where [password] is the system password that I set and is common for the web server and applications.

The Android / iPhone / BlackBerry / Windows application scans this QR code and uses the [username] specified in the QR code for a hash with [password], which will tell me that the QR code came from my server.

Obviously, if someone got a [password], then they could create QR codes that did not come from my web server. Anyway, to safely store [password] in my application, or can someone decompile .apk and find it in .dex classes?

+3
android passwords iphone windows-phone-7 blackberry
Jul 24 2018-11-21T00:
source share
3 answers

You can somehow confuse the password, but in the end it is only security through obscurity. Someone who wanted, of course, could reverse engineer it.

You probably want to see public key cryptography to avoid this - even if someone gains access to the public key, they still will not be able to use it to impersonate the server.

+9
Jul 24 2018-11-21T00:
source share

No.

If someone is motivated enough, they will be able to reverse engineer the password with a hard code.

0
Jul 24 '11 at 21:10
source share

I'm not sure about other platforms, but if you put your password hardcoded in plaintext on android, they will get it very easily. Other platforms may require more sophisticated methods. You can hash your password using a more advanced hashing algorithm so you donโ€™t get the original password, but from what you said, you donโ€™t want them to make โ€œfakeโ€ QR codes.

The short answer is no, because everything can be hacked in some way if it is on the client side.

0
Jul 24 '11 at 21:10
source share


More articles:


All Articles