LiveCode Forums.

I'm not sure if this has been covered but is it safe to hardcode your cloud database into the application as demonstrated in http://lessons.runrev.com/s/lessons/m/4 ... L-database? Especially, if you want to distribute this over the app store.

Would someone be able to decompile your application after you publish it to grab your database login?

Is there a way to encrypt that on compile so that if someone tried to do something malicious to your application after distribution, they wouldn't be able to recover your login credentials for your production database?

Or is there a better way to have people login to your cloud database?

Thank you!

It's a classic problem.

Basically 2 answers.

-if your app connects directly to your remote MySQL database... then of course there is a risk.
You could "reduce" this risk by encrypting the login/password inside your app... But still : it will remain there... at the mercy of anyone.
But you could as well calculate that this risk is not really worrying (if your database contains information with low value, or value only to you). Or you could have a mixed approach : sensitive data would be encrypted in the database, and the rest would remain in plain text.

-then there is the classic answer, from a security point of view : close all links between your MySQL server and the "internet". And add a layer between the MySQL server and your apps : a local script system (in PHP or LiveCode Server).
This layer will check the credentials of the app, receive queries from your apps, and then forward those queries to the MySQL server, and then send back the results.

Gotcha. Makes sense. Thanks for the explanation.

This very problem was just discussed by one of the computer security magazines. A group from...somewhere...did a study of the Google Play store and found that there were many, many apps with hardcoded credentials. The folks doing the study were able to easily decompile the apps to extract the credentials. Some of the bigger providers, like Facebook, freaked out and terminated a bunch of developer accounts as a result. The main concern they had was that anyone could download these apps from the Google Play store, decompile the app, and pull the credentials.

If this is a "private" app, your exposure will be limited.