0

The thing is- I've developed a Android application where the application will HTTP access my web server based on different user input. My question is- is there anyway to hide the hard coded URLs in my application that if anybody reverse engineer this code will be confused?

The problem is- if anybody reverse engineer the code he/she can make problem to my other customer as URL, parameter is hard coded.

Its really urgent for my. Seeking your kind help regarding this subject.

Thanks.

pijushcse
  • 510
  • 9
  • 31
  • something beyond proguard obscurification? If you need something more secure than that, I think your only real option is to create some sort of clever algorithm that will return your URLs to you upon being given the proper input instead of the hardcoded strings. – FoamyGuy Jul 19 '12 at 15:54
  • Thanks Tim, do you have any idea for any clever algorithm? – pijushcse Jul 19 '12 at 15:58
  • 1
    Nope not really. The simplest to implement (but perhaps least secure) would be to encrypt your hardcoded URL strings and decrypt them when you need to use them. But then your encryption key would be hard coded and anyone doing the reverse engineering would have what they need to find the URLs, it would just take an extra step. The most secure option is to come up with something creative by yourself instead of re-using someone else's work and use it in conjunction with traditional encryption. – FoamyGuy Jul 19 '12 at 16:02
  • 1
    The whole idea is "chicken vs. egg" though. You are human (I assume) thus anything you come up with another human will be able to undo given time and determination. – FoamyGuy Jul 19 '12 at 16:07

1 Answers1

3

Perfectly obfuscating string resources (such as URLs) in your app is simply not possible. Anyone can decompile your app and given enough time will be able to reconstruct any hard coded strings (URLS) in your app.

Instead of relying on the anonymity of your URLS you should devote your time to securing your server such that un-authorized clients will have difficulty interacting with it. Even if you had perfect string obfuscation securing your server would still be vital. There are a multitude of ways to discover the hidden urls. For example it would be trivial for me to engineer a man in the middle attack to see what servers my phone is connecting to. Also a simple webcrawler might be able to do it as well.

slayton
  • 20,123
  • 10
  • 60
  • 89