2

I am about to publish an application that has a great amount of JavaScript in the Assets/ folder. I have shrinked minimized & combined everything (JS) into ONE big file around 500kb. I am looking for ways to encrypt it and hide it from the assets folder.

What are in your opinion the best ways to do it?

  1. store as plain string inside Java Class and (i don't know if its possible) tell proguard to specifically encrypt this. --> i would serve it to WebView via onintercepturlloading

  2. store as encrypted file inside Assets, hot-decrypt with any third-party or Java crypto routines - that I'd like to hear about.

  3. whatever you want

Ideally the solution should be included as part of the build process, but I would manually generate the encrypted data if there's no other solution.

EDIT: DexGuard seems the professional way to go, but it's €350, any free alternatives?

Please don't ask me why I want to encrypt it. I need to do it just like one day you need to go to the dentist.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
rupps
  • 9,712
  • 4
  • 55
  • 95
  • 2
    Why would you want to encrypt it? Focus on making better content instead of futile DRM schemes. – vertti Mar 07 '13 at 12:43
  • 3
    @vertti Because if someone get their hands on the APK they can open it and check the code up in the assets folder. – Simon Zettervall Mar 07 '13 at 12:43
  • Yes, I know, but what's the secret you are trying to hide there? – vertti Mar 07 '13 at 12:44
  • ouch €350 ... I'm afraid I'm implementing an in-house solution ... – rupps Mar 07 '13 at 13:00
  • 2
    Hey casperOne, I think it's slightly picky to say this is not constructive, as the options proposed are certainly based on expertise and are metacode. I think it's not a silly question, it would be too easy to add meaningless code when the metacode is what matters. Besides, this relies on a buggy webview. This component has bugs spread all around its methods and that's why sometimes it's not clear which way to choose! – rupps Jan 20 '14 at 15:08

2 Answers2

2

I would advice you to not depend on 3rd party tools as you might become vendor lock-in'ed, meaning if they stop to develop the software et cetera. I would put the Javascript's contents in one big final static String and then as you said tell Proguard to do it's magic.

Taken from Proguard's documentation.

Does ProGuard encrypt string constants?

No. String encryption in program code has to be perfectly reversible by definition, so it only improves the obfuscation level. It increases the footprint of the code. However, by popular demand, ProGuard's closed-source sibling for Android, DexGuard, does support string encryption, along with class encryption and hiding of access to sensitive APIs.

Simon Zettervall
  • 1,764
  • 1
  • 15
  • 31
  • would PRoGuard do its magic on his own? Can you fine-tune it so it specifically garbles the big string? – rupps Mar 07 '13 at 12:48
  • hey @simon thanks a lot. Dexguard is what I am looking for, I think :) I'm gonna try it and will post updates – rupps Mar 07 '13 at 12:52
  • @rupps No worries! :) do so! – Simon Zettervall Mar 07 '13 at 12:53
  • Do note that dexguard is a paid application, unlike proguard. – vertti Mar 07 '13 at 12:54
  • @rupps As vertii said it is a paid application so here you can find more alternatives, not sure if they have String obfuscation though: http://proguard.sourceforge.net/index.html#alternatives.html – Simon Zettervall Mar 07 '13 at 12:57
  • As far as I know, none of the free ones do. And most of them seemed a lot more work to integrate to your build process. For example no Maven support. – vertti Mar 07 '13 at 13:07
0

There is absolutely nothing you can do that would be considered secure. So obfuscation is pretty much the best compromise between wasted effort and gaining security (making hacking more difficult, but by very little).

Securing an encryption scheme would require a key. And you have no place to hide your key. You could either have it in your APK or you could make the APK download it from some server. Both are easy to spot with the right tools.

If you just want to slow the hacker down, then go with something simple. Spread the javascript parts around in different locations and encode them with some simple and fast encoding like base64. Then combine them on the fly. A professional guy will break that just as well as any encryption scheme but you won't waste many minutes in implementing it. More time to code your actual app.

DexGuard does pretty much what I described above (String obfuscation) but for an indie developer I feel it's quite pricey (cheapest license is 350 dollars).

vertti
  • 7,539
  • 4
  • 51
  • 81
  • I don't want ultra-protection, but I also don't want all our code to be exposed with a simple PkUnzip. If someone wants to steal our code I want him/her to be debugging for a couple hours at least. – rupps Mar 07 '13 at 12:50
  • Then go with something simple. Spread the javascript parts around in different locations and encode them with some simple and fast encoding like `base64`. Then combine them on the fly. A professional guy will break that just as well as any encryption scheme but you won't waste many minutes in implementing it. More time to code your actual app. – vertti Mar 07 '13 at 12:52
  • Yep that's my PLan C, but I'm giving a shot to DexGuard, looks like it's exactly what i'm for ... thanx for the answer though – rupps Mar 07 '13 at 12:54
  • For an indie developer, I consider DexGuard pretty expensive. I believe it does pretty much what I described above but yes, it will be the least painful way to go about it. Good luck with your app. – vertti Mar 07 '13 at 12:56
  • upps didn't know it was commercial !!! – rupps Mar 07 '13 at 12:59
  • Dexguard looks interesting @vertti how secure is the obfuscation in dexguard? Could it be used to securely hide away a SQLCipher string key .. reference http://stackoverflow.com/questions/9563332/how-do-i-secure-my-database-sqlite-in-the-assets-folder-by-ciphering – Aiden Fry Mar 14 '13 at 12:28