ObjectOutputStream: Is this secure?

StackOverflow https://stackoverflow.com/questions/23470553

Question

I am working on an Android application, and I want to submit a username and password. What I am doing at the moment is:

  1. create hashvalue for password

  2. Connect to authentication-server via HTTP request

  3. send username/hash-password via ObjectOutputStream

I do this because it was the only solution I could implement myself with the knowledge I have yet earned.

But of course there is a question I have to worry about: How secure is this? I know, there is no 100% security. But is this a really poor solution, or average?

Was it helpful?

Solution

This is not safe as the login / password are not encrypted. Things you should to do are:

  • Use https instead of http connection for login
  • Add salt to your password before hashing it (username as salt is ok)
  • Using serialization as the data protocol is not very handy - it doesn't provide any additional security, but will be really awful when debugging...

Salt: If two users have this same password they will have also this same hash. This can be easily recovered using rainbow tables (Google for it). To avoid situations like that passwords should be hashed with some salt, so instead of using:

hash(password);

You should use:

hash(salt+password);

Where salt can be some quite long random string hard coded in application (protect from rainbow attacks) or just username as it can be easily accessed on server side and application side.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top