is
Jon Skeet
Creating a jar with sensitive information which cannot be accessed by a user
In the maven project I am creating there is a certain property file (with sensitive information, credentials) under resource folder which is used by the program.
While packaging it in a jar is there any way to make this file not accessible by the user (user should not know of a such a file's existence if he unpacks the jar). The jar is intended to be exposed to the users for public use.
The question is if there is a way to achieve this while creating a jar, or if there is some pattern to be followed in the project intended to be used for this purpose.
Thanks in advance !!
No. Basically, if your code is running on the user's device, and your code needs the information, then you should expect the user to have access to the information.
You can obscure it in various ways - e.g. encrypting it with a key which is somehow inherent in the jar file, or even with a key which is fetched over the network - but fundamentally there's no secret present. Imagine someone writing a program which puts your jar file in the classpath and executes some of the code within the jar file - the code which obtains the credentials... they step through that code in the debugger, and they have the information. In the extreme, this is a problem even if the credentials aren't in the jar file at all, but are obtained over the internet... you'd need some sort of trusted execution model which prevents the information from being accessed unless it was guaranteed to be from your program, not in a debugger, with no ability for the user to snapshot memory.
In short: if information is critically sensitive, it can't be on the user's device.
See more on this question at Stackoverflow