Key generation example for in-app purchases on android

Question

In the in-app purchase sample application in sdk\extras\google\play_billing, there is a comment as follows.

/* base64EncodedPublicKey should be YOUR APPLICATION'S PUBLIC KEY
         * (that you got from the Google Play developer console). This is not your
         * developer public key, it's the *app-specific* public key.
         *
         * Instead of just storing the entire literal string here embedded in the
         * program,  construct the key at runtime from pieces or
         * use bit manipulation (for example, XOR with some other string) to hide
         * the actual key.  The key itself is not secret information, but we don't
         * want to make it easy for an attacker to replace the public key with one
         * of their own and then fake messages from the server.
         */

Can some one help with me with an example to generate the key at runtime from pieces or use bit manipulation? That part is unclear to me.

Thanks

Answer 1

It just means that you should not leave your key in a plain string constant because probably not even by obfuscating it can be hidden from the curious eyes...

So build the key from different pieces of strips as, for example, let´s suppose the key is "123456". You can have the same String by concatenating 1L + "23", then parsing it to Long, multiplying by 1000 and adding 456:

    Long longVal = 1L;
String code = longVal.toString() + "23";
longVal = Long.parseLong(code) * 1000L + 456;

In bytecode after compilation it´ll be a little twisted and, even by decompiling everything will look even uglier and hard to read. BTW. Maybe you can bitwise it a bit, also.

More info: Protect string constant against reverse-engineering