I upload my app which use in app purchases and everybody says be carefull with your lisence key how I can obfuscate it properly? The idea to have it in pieces and join it later in onCreate is not enough? Shall I put pieces of the key in Strings.xml?
Asked
Active
Viewed 76 times
1
-
1I think this is what you are looking for: http://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android – jbarat May 09 '16 at 10:45
1 Answers
0
The more you distribute key in time and space the harder it would be to replace it. Do not join it at a single place (onCreate) - distribute its pieces through the code. Make it hard to find pieces of your key in code - never store them as is but XORed with some value. It is more a security by obscurity - where and how you store key should be a secret. Use obfuscation.
Remember you protecting license key from replacement. Think how easy (fast) one can change key having sources of your application.
Also, modify source code dealing with a key, so it is unique for your app. For example Google in-app billing comes in sources and it is relatively easy to find one in decompiled sources to hack.
Andrey
- 56
- 4