2

One way I know is to put in assets but thats can't be proguarded and is easily available after decompiling. What are some other ways?

Thanks in advance!

Vipul J
  • 6,641
  • 9
  • 46
  • 61
  • You cannot prevent someone from getting any value stored in your apk. Regardless of where you store it or how you try to hide it. – Xaver Kapeller Feb 16 '15 at 17:32
  • Reverse Engineering is impossible to prevent, you can only make it (slightly) more difficult through obfuscation. If you really want to keep some data safe you need to store it in a server and access it in your app through a Web service. Just think of your app being open source while developing it, because that's what it essentially is. Everybody can reverse engineer an apk, barely any technical skills required. – Xaver Kapeller Feb 16 '15 at 17:35
  • 1
    @Xaver Kapeller: Web service does not make it saver. They can find out the URL and download the files manually – ByteHamster Feb 16 '15 at 17:38
  • @ByteHamster if that were true than why can't I download files from your Dropbox or Google Drive accounts? – Xaver Kapeller Feb 16 '15 at 17:40
  • @Xaver Kapeller: because every user of Dropbox has a password. To download the files, a unique token is used. If you have an app that downloads the files, all users share the same token and the token can be found out by reverse engineering. – ByteHamster Feb 16 '15 at 17:43
  • @ByteHamster if your build your app that way than its your own fault. You just need to use a method of authentication that does not require credentials on the client side, for example OAuth. That way only your app can access the Web services and there are no credentials stored in your apk which can be obtained through reverse engineering. – Xaver Kapeller Feb 16 '15 at 17:46
  • 1
    @Xaver Kapeller: As I have understood OAuth, it generates a token that can be used to fetch data. If there is no password etc, how should the server know if it is the app or someone who reverse engineered your app? Both are sending exactly the same data. Anyway, even if you could download the file securely, it has to be saved in a String. Using Xposed, that String can easily be stolen. – ByteHamster Feb 16 '15 at 17:53
  • @ByteHamster OAuth does not need credentials. There is a token involved, but it is not provided by the client. OAuth turns the traditional username/password approach on its head by removing the need for the client to have a username or password and instead letting the server decide how can access the data. There are a lot of ways the server can make sure that the client who requests the data is allowed to actually access it. For example Google Cloud Messaging uses a big combination of data like the SHA1 fingerprint of the app to make sure that nobody else but your app has access to it. – Xaver Kapeller Feb 16 '15 at 17:59
  • I know that the server can decide. But how can it find out that it is the app when exactly the same data is sent by app and "hacker"? You can send the SHA1 of the app even if you are not the app - just generate the fingerprint and include it in your request. – ByteHamster Feb 16 '15 at 18:06
  • 1
    @ByteHamster And as for the other part of your comment you always need to consider what you are trying to protect. In every normal case you are trying to protect user data. Not some critical internal company secret. Sure any user can just dump the memory of his phone to the disk and read data stored in the ram or do other things like that to get data stored internally in the app, but why would he do that? All he is ever going to get is his own data. What you should be trying to prevent is someone getting the data of some other user. – Xaver Kapeller Feb 16 '15 at 18:15
  • @ByteHamster And that's where OAuth comes in with its tokens and Google is very very good at making sure that your Google Account is secure. And as a developer you can easily incorporate that in your app. – Xaver Kapeller Feb 16 '15 at 18:15
  • Okay that is a good point. Copying the full app can not be prevented and there is no reason for an attacker to get the content of a single file if it does not store user data – ByteHamster Feb 16 '15 at 18:19

2 Answers2

2

Simple answer is: you can't. You want to make it readable and not readable at the same time. This won't work, never did and never will, unless you're running your software on a locked-down hardware.

You may only make it more or less annoying to extract your precious data from the app. The most obvious way is to encrypt it and decrypt it at runtime. Of course determined attacker will extract the keys and decrypt it without troubles.

You can download it from some backend server at runtime and save on the flash in private data region - of course somebody can just peek inside and copy the files, but APK analysis won't disclose the data.

Finally, somebody can just dump RAM with JSON contents and bypass your "security".

ezaquarii
  • 1,914
  • 13
  • 15
0

You could encode it with something like AES but even then the data will not be save. It will just be harder to decompile. Additionally, you need to decode it every time you use it.

Community
  • 1
  • 1
ByteHamster
  • 4,884
  • 9
  • 38
  • 53
  • I see answers like this all the time on Stack Overflow, but storing the data you want to hide in encrypted form makes it in no way more secure. Doing this is useless. – Xaver Kapeller Feb 16 '15 at 17:39
  • If someone really wants do decompile the app, you can't stop him. But you can make it harder with encoding and maybe he loses interest in the app if it needs too much effort – ByteHamster Feb 16 '15 at 17:46
  • Why would he loose interest if someone goes through the trouble of decompiling the app in the first place? There is no challenge involved. As soon as someone decompiles your apk he has access to all hard coded values, all resources and the complete source code. Even if he does not understand what the code does he can still just copy and paste it. Trying to hide data in your app for example by encrypting it is the completely wrong approach because it will always fail and just make things more complicated for you. – Xaver Kapeller Feb 16 '15 at 17:56
  • 2
    There is only one correct way to build a secure application: Think of it as being open source, because that's what it essentially is as soon as you release the apk to the play store. – Xaver Kapeller Feb 16 '15 at 17:56
  • That's true, I see. Copying can not be prevented. But if you just want to hide that "secret" file, encoding is an option. Then he needs to dig around your code and find out how it was encoded. It will make it a lot harder but of course it is still possible to get the content of that file. – ByteHamster Feb 16 '15 at 18:01
  • How will it make it harder? Even if the attacker just uses a basic text editor like notepad to look at the source code he can still just look up the name of the resource or file he is looking for and then use the basic search feature to find every and all instances of that resource or file in your source code. Even if you encrypted that file or resource in your apk the attacker has already found out what to do with that file because he already sees what you do with that file in your source code. – Xaver Kapeller Feb 16 '15 at 18:08
  • And now just imagine what an attacker can do if he imports your source code into a IDE like IntelliJ with powerful refactoring and code analysis tools just a shortcut away. – Xaver Kapeller Feb 16 '15 at 18:09
  • I did not say that it is impossible. Just harder. You could make it harder looking up the name by encoding the filename too using something like loadFile(decrypt("xyz")) :D – ByteHamster Feb 16 '15 at 18:14
  • Well by giving your files weird names you are just making your life as a developer more difficult, but it is not going to stop an attacker. As I said before, trying to do stuff like this is the completely wrong approach. – Xaver Kapeller Feb 16 '15 at 18:17