2

There are a lot of questions on SO in which developers are asking about how to protect secret strings placed in code or resources against reverse engineering. For example this, this or this.

I want to find out the best practices in hiding such kind of information(for example "Hello, secured world!" string). The goal is to process it somehow and include it into an application.

E.g. splitting strings, tricks in pure Java, obfuscation, advantages of using native (C) code.

P.S. I know what i can't provide an absolute protection, but i want to make retrieving secure information as difficult as possible.

P.P.S Of course the best way to keep data in secret is not to store them on the device is to use a negotiated token for providing access as Reto Meier wrote. It is regarding to authorization.

Community
  • 1
  • 1
Johnny Doe
  • 3,280
  • 4
  • 29
  • 45

2 Answers2

2

Some code obfuscators can encrypt strings in your source code in order to prevent them to be read if someone tries to reverse engineer your app.

Here are some obfuscators :

But the best solution remains not to store sensitive data on the user's device.

Mickäel A.
  • 9,012
  • 5
  • 54
  • 71
1

You can try to encode the strings with a decode key received from the api's.

Lucian Novac
  • 1,255
  • 12
  • 18
  • What did you mean about "decode key received from the api's"? Can you provide any example? AFAIK android has no a secret keys storage. – Johnny Doe Feb 28 '14 at 09:11
  • You should not save the secret key on your android app, the key should be provided by the ws, if you use one. – Lucian Novac Feb 28 '14 at 09:14
  • "if you use one" is the main problem. Application should work in offline mode too and i have to provide authorization functions without ws. In any case, it is the system architecture questions. – Johnny Doe Feb 28 '14 at 09:30
  • Yeah man, it really might be an option for the apps which requires web service login or something similar. – Johnny Doe Dec 15 '17 at 08:30