10

I need to store some sensitive information in an Android application. If I put it in a resource file, it appears that it is trivial for another app to be able to browse and read that file simply by using PackageManager.getResourcesForApplication().

Where is the correct place to put information like this that we don't want people to be able to easily snoop?

Should it be in a compiled java file? Or are classfiles also easily readable? Also, if they're in java files, is it possible to reference them from XML files that need them (eg. for the google maps api key)?

emmby
  • 99,783
  • 65
  • 191
  • 249
  • 3
    Everything you distribute in your apk is readable. Just put it in resources / java files as long as it is valueless stuff like api keys. If it is your credit card number don't put it at all. Maps api key works only in XML IIRC – zapl Sep 17 '12 at 18:53
  • 2
    On ProGuard site they mention [DexGuard](http://www.saikoa.com/dexguard) which allows better obfuscation for e.g static Strings (API keys). If throwing in some money is not an issue checking what they have to offer might be worth the trouble. – harism Sep 17 '12 at 19:05

3 Answers3

9

Your APK will be retrieved from the device and torn apart anyway. (After all, some devices are rooted.) Whatever you hardcode there, no matter where, will be found and extracted. Of course, if the potential gain substantiates the effort. Otherwise, security by obscurity, such as obfuscation, may be the way to go.

Handling real secrets should be based on some sort of input, notably passwords.

Happily, API keys, if used as they are supposed to, are not necessarily a real secret.

full.stack.ex
  • 1,747
  • 2
  • 11
  • 13
4

Google has some good recommendations on this under billing. To summarize: use remote server, obfuscate and use secure random nonces. Nothing is safe in your apk as it always can be reverse engineered and obfuscation only works against simple attacks.

Warpzit
  • 27,966
  • 19
  • 103
  • 155
-3

if you just want to deny access to your data from other applications, you can use SharedPreferences. Just use Contex.getSharedPreferences(/prefs file name/, Context.MODE_PRIVATE); According to documentation MODE_PRIVATE means that the created file can only be accessed by the calling application (or all applications sharing the same user ID).

user1678443
  • 1
  • This doesn't answer the question being asked. The asker is concerned about distributed assets with the application, not with storage of information determined after installation. For example, a file distributed in `res/raw/`. – Dallas Sep 19 '12 at 13:27