How to secure url in my code android?

Question

I made a application on android. I use some url to request on my server, but i donot know how to secure or hide those url in my application. Can someone help me?

score 2 · Answer 1 · edited May 23 '17 at 11:52

I have also done something similar. What you have to do is ...

1) You should have a webservice which will give you URL(s) for service

2) Encrypt your main webservice URL and hide key inside code.

3) User proguard to obfuscate your code.

4) When you load your App hit the main URL and get other URL

5) Get decryption key, as if you will keep URL in memory anyone can atain those with memory dump

6) Decrypt URL as and when needed.

other choices are ...

Hiding Strings in Code

Use SQL Cipher

Encrypted Database

Using Cryptography to Store Credentials Safely

private final static String ALGORITM = "Blowfish";
private final static String KEY = "2356a3a42ba5781f80a72dad3f90aeee8ba93c7637aaf218a8b8c18c";
private final static String PLAIN_TEXT = "here is your text";

public void run(View v) {

    try {

        byte[] encrypted = encrypt(KEY, PLAIN_TEXT);
        Log.i("FOO", "Encrypted: " + bytesToHex(encrypted));

        String decrypted = decrypt(KEY, encrypted);
        Log.i("FOO", "Decrypted: " + decrypted);

    } catch (GeneralSecurityException e) {
        e.printStackTrace();
    }
}

private byte[] encrypt(String key, String plainText) throws GeneralSecurityException {

    SecretKey secret_key = new SecretKeySpec(key.getBytes(), ALGORITM);

    Cipher cipher = Cipher.getInstance(ALGORITM);
    cipher.init(Cipher.ENCRYPT_MODE, secret_key);

    return cipher.doFinal(plainText.getBytes());
}

private String decrypt(String key, byte[] encryptedText) throws GeneralSecurityException {

    SecretKey secret_key = new SecretKeySpec(key.getBytes(), ALGORITM);

    Cipher cipher = Cipher.getInstance(ALGORITM);
    cipher.init(Cipher.DECRYPT_MODE, secret_key);

    byte[] decrypted = cipher.doFinal(encryptedText);

    return new String(decrypted);
}

public static String bytesToHex(byte[] data) {

    if (data == null)
        return null;

    String str = "";

    for (int i = 0; i < data.length; i++) {
        if ((data[i] & 0xFF) < 16)
            str = str + "0" + java.lang.Integer.toHexString(data[i] & 0xFF);
        else
            str = str + java.lang.Integer.toHexString(data[i] & 0xFF);
    }

    return str;

}

See live results of above encryption (blowfish)

@AZ_ hello, I am facing problem when i reverse engineer my application i get my service url in that how i should manage my url so that i should not get my serice url after decompilation . — Nikhil Singh, May 17 '16 at 14:18

score 0 · Answer 2 · edited Nov 15 '18 at 02:26

I use it this way. I begin to encrypt URL using the AES algorithm, and key AES to get the byte array of URL.

byte[] b = {-52, -42, -105, 86, 110, -111, -59, 126, 97, -70, 12, 67, -121, 75, -97, 76, 82, -29, -25, -87, 77, 21, 19, 73, 45, -28, -20, -61, 34, 121, -27, -22, -25, 34, 2, -80, 48, -118, -109, -63, -26, 72, -42, -79, -75, -82, -52, -6, 118, 25, 48, 48, 47, -54, -42, -13, -83, 37, 118, -100, -1, -38, 127, 8, 22, -124, -25, -33, -18, -2, -31, -55, -25, 2, -46, 19, 36, -2, 76, 100};

I convert URL to the byte array, and I only save the byte array in my application. When I need to, I convert the byte array to URL with the AES Algorithm and key AES.

score 0 · Answer 3 · edited Jun 20 '20 at 09:12

0

Hide Url in Environmental variables,BuildConfig and Android Studio

https://stackoverflow.com/a/47942035/7662481

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 22 '17 at 13:12

Mallikarjuna

874
6
17

score -1 · Answer 4 · edited May 23 '17 at 12:32

You can try obfuscating string resources (Using Progaurd) but how much effort you will put in to make your resources (like URL's) secure, There is always a way to decompile and retrieve the hard coded data from your application.Rather than relying on securing your URL in applications,Try to secure your server so that access to it is only possible through your authorized users. How ever If you still want to make life difficult for the attacker You can study this link

Remember: By following this approach (which you are asking about),You can just make life harder for the attacker by increasing the time span for the attacker to break into your resources.But your application will still be prone to be cracked.

.apk is easily decompilable(see this online website),even if you will use some hashable algorithim,a determined attacker can crack it to,because he can download your .apk and like normal user and can access everything in it.Also Give an eye to this

Reverse engineering of an .apk is best discussed here

How to secure url in my code android?

4 Answers4

Hide Url in Environmental variables,BuildConfig and Android Studio