Android Question Using FTP-credentials in code

[Mark Baars]

I am working on an app that uploads files to a hosted server, using FTP. I initialize with the code below.

FTP.Initialize("FTP", "ftp.xxx", 21, "user", "pass")

Now I am wondering if this is secure enough. I replaced the "user" and "pass" in the code for the real username and password. Would it be easy, for a bad guy, to use a sniffer or a tool on their device to catch these credentials? Can this part of the code be de-obfuscated?

I could do something with encryption, but then I will have to figure out a way to decrypt this at the server side.

What I am looking for is a "best practice" to securely use FTP. Will the above method be safe enough for most cases, or should I add something to make security stronger?

 

[Erel]

Obfuscation tutorial: Code Obfuscation

Process globals string variables are obfuscated, so make sure to set the strings in process_globals.

1. Unless you are using FTPS (UseSSL / UseExplicitSSL) then it is very simple to find the credentials by monitoring the network traffic.
2. It is not possible to really hide any information in the client side.

 

[udg]

Assuming that you have no control on the FTP server, one way to strengthen access security could be deploying a separate "credential server" (CS) which will return those base infos such ftp server name to contact, user and password for it.
A very good candidate to build such a CS server is B4J. You can easily add encryption to data returned to your app.

Disassembling your app would only reveal the CS address, nothing about the FTP server and its credentials.
If an eventual bad guy is going to sniff on port 21 (can you change it?), instead, that will reveal your secrets..so you should move to SFTP or other solution.

 

[Mark Baars]

Thank you Erel and udg. If I understand correctly, best practice is to make the credentials process global strings and set UseSSL or UseExplicitSSL to true.

I will do some testing with this, and keep a CS in mind if this isn't sufficient.