How can hide my strings value from reverse engineers?

Question

I have an app on android. I use facebook keys,twitterkeys on my strings.xml file. I use proguard. But when a man which want to see real code, decompile myapp , yes it is complex because I use proguard. But my strings value is seen. Is it a securty problem. I want to hide them or how can I encrypt them.

thanks

you can't stop completely from reverse engineering. Proguard obfuscates the code. Its harder to reverse engineer. You can further use encryption and decryption algorithms — Raghunandan, Mar 18 '14 at 06:12
Nope, there's nothing you can hide. APK is just a compressed file. What you can do is store these keys on the server encrypted and fetch inside your app and decrypt it — BlackBeard, Mar 18 '14 at 06:18
@BlackBeard ok when I want to decrypt it I should use a key to decrypt it but reverse engineers can find that key too? — user3086226, Mar 18 '14 at 06:27
Even if they get the key, they wont get FB or Twitter keys right away, not by reverse engineering. Or a much better way, encrypt your data completely by generating different KEY for each new user on the server and send both DATA as well as KEY to decrypt, which would make everyone's life harder to **HACK**. This involves couple of steps more for server calls — BlackBeard, Mar 18 '14 at 06:37

score 1 · Answer 1 · answered Apr 24 '15 at 09:10

As far as I know only possible way how to achieve your goal is to physically check every user. It could be some kind of form which user has to fill with some personal data so term "physically" is maybe not the best choice here. I guess you could do that semi automatically.

Other methods are just slowing down the reverse engineer and making his life harder.

If you have the controll over your users (for example if your app is for some company employees only), you can control people who download the app by providing password secured download site and provide that password only to company employees by mail or some other way.

But after all - every secure user can be the bad guy who provide apk to some reverse engineer, so you will be never 100% safe, until .apk format change in some way.

score 0 · Answer 2 · answered Mar 18 '14 at 06:17

0

create one encrypted file with your text data and store in assets & read it from assets by decrypting it , is one of the better solution

answered Mar 18 '14 at 06:17

pavanmvn

749
10
21

hi, reverse engineers cant reach assets? – user3086226 Mar 18 '14 at 08:47
they can reach assets but you are encrypting the file right? – pavanmvn Mar 18 '14 at 09:52
and they can encrypt it too right...? Since they see your encryption code, they can do the same, so this can just slow them down nothing else. You have to get the encryption key somewhere so they can too. – Srneczek Apr 24 '15 at 08:51

How can hide my strings value from reverse engineers?

2 Answers2