What is the correct way to create a database desktop application ?

Question

I just realized that there is no best way to hide MySQL string connection password in my executable file, especially in JAR file. Even encrypting it in EXE would only slow down the process (although I'm not sure how much time would it take to get an encrypted password from an EXE file).

So, from my understanding, I need something in the middle that would do the add, edit, delete etc to the database. Seems like a job for REST API or maybe SOAP services.

My question is, which one should I use? Or should I use something else? I was thinking Zend Framework to create those REST APIs. Then, I would use Qt to create a desktop application to call those APIs. But if I proceed with REST, my application would be a 3 tier application. Wouldn't it be better if I just create a web application? Maybe I should just stick to desktop application call those APIs since the application is already finished and I just need to change from connecting directly to MySQL to calling those APIs to perform tasks rather than changing the whole application to a web.

Any advice would be very helpful. Thanks in advance.

UPDATE:

I'm looking for a security that would protect my MySQL password connection.

Obfuscator would only obfuscate the code, it won't hide my string database information which In my opinion can be easily found using grep after decompiling the JAR using tools like JAD.

About my application:

1. Using a centralized MySQL database
2. Thousands of user
3. Contains sensitive information
4. My client uses Linux and Windows
5. My server uses Linux
6. All access are done in LAN, no outside connection (from Internet etc)

My current solutions (comments please):

1. Using REST APIs (safer since MySQL password is in the server)
2. Using Qt with encryption to the password

Answer 1

It depends on what kind of security are you looking for. Is this to protect the application from the user? To protect the user's data from other users? To protect multiple users' data from one another? To protect the user's data from an attacker?

In a lot of applications there's nothing wrong with storing the database login credentials in plain text. In other cases, you might try:

1. encrypting a user-chosen database password using a reasonably strong algorithm, e.g. Blowfish, using a hard-coded key;
2. having the user provide the password and "log in" to the program each time;
3. storing the database password in plain-text, but encrypt the data using a hard-coded key;
4. same as the above, but encrypt each user's data using their own provided password;
5. same as 2 but store each user's data in their own database with their login info as the database credentials;
6. storing the data on a secure remote database that users have to log into to access via a SOAP API;
7. using the native filesystem permissions to protect the configuration file holding the login credentials;
8. same as #1 but rolling your own really elaborate key-generation system: e.g. run the machine SID or a hardware id through MD5 using a randomly-generated salt, and then using the result to encrypt the login credentials.

Remember, there's no such thing as perfect security, so whatever you settle on doesn't need to be unbreakable. It just needs to be tough enough to break to make the hassle of circumventing the security mechanism exceed the value of the data. So, for example, if the data is a list of the top scores in Minesweeper, then ROT13 would probably be enough.

Edit: I just want to add that, even if you can't get around having to hard-code an encryption key in your application, there are obfuscators for Java, .NET, and most other popular languages/frameworks. One of the key uses of these tools is to hide sensitive hard-coded strings like encryption keys.

Edit 2: Given the additional details about the app in question, only 1, 6 and 8 would apply in this case. And a SOAP API is more appropriate for #6 as George rightly pointed out.

I also want to mention that there are Java resource obfuscators that encrypt string literals. This is just one example.

Answer 2

It pretty much depends in what environment your app runs

a) db and client local
b) db and client in a local network
c) db is in the internet

my two cents:

a) I would create a single db user and wouldn't use a password but restrict acces to localhost
b) direct connect to the database is fine but I would each user have to login with his own password and grant only the permissions he needs.
c) It's a bad idea to allow mysql connections to a public server. In this case webservices would be a good solution.

Anyway if your case is b or c I would stick with a login dialog for the user.

Maybe you should have a look at this http://www.greensql.net/ tool. It is like a firewall but for mysql/postresql
So you can deny anything and only allow queries you want to.

Answer 3

If you are using Java for implementing your database desktop application, I would recommend to use Java DB as the database. There is a few ways of securing it, and there are alternatives to having a password in the connection string. I would recommend to read Java DB Security - Security Features in Java DB Release 10.4

It is easy to deploy your application with Java DB, since you can have much of it embedded in the same jar file. I have used it in a Point of Sale application implemented in Java.