0

In my Android App I want to protecte some static strings from being read by decomnpiling the application. I read that a way to do so is to put them into c++ code and load them natively into the Android project.

so I created a c++ file and a CMake script. The c++ file:

#include <jni.h>
#include <string>

extern "C"
JNIEXPORT jstring JNICALL
Java_package_name_NdkUtils_methodForStringToBeProtected(
        JNIEnv *env, jobject /* this */) {
    std::string result = "secretStaticStringHere";
    return env->NewStringUTF(result.c_str());
}

and the CMakeLists.txt:

cmake_minimum_required(VERSION 3.4.1)
add_library(native-lib SHARED src/main/cpp/native-lib.cpp )
find_library( og-lib log )
target_link_libraries( native-lib ${log-lib} )

In Android now I suceeded getting that string within the native call. What I want to get is that the c++ is hidden from the built. I only want to include the so files.

So I went into the genrated apk and I was able to extract the libnative-lib.so file. I integrated the so-files in the aap/src/main/jniLibs folder. But when I remove the c++ sources I cannot access the methodForStringToBeProtected-method anymore. What do I have to do now to call the function only from within the so-file?

softwaresupply
  • 1,908
  • 3
  • 20
  • 34
  • 2
    Please note that string constants can be super easily extracted from native libraries unless you use some type of cipher, such as XOR. – Tatsuyuki Ishi Apr 21 '17 at 13:24
  • Can you provide a sample? After extracting the .so-file I found no way to access it. – softwaresupply Apr 21 '17 at 13:26
  • `strings` `readelf -p .rodata` – Tatsuyuki Ishi Apr 21 '17 at 13:27
  • See also: http://stackoverflow.com/questions/4427238/hiding-strings-in-obfuscated-code http://stackoverflow.com/questions/11161024/obfuscating-resource-strings-that-may-give-away-too-much-information-about-progr – Tatsuyuki Ishi Apr 21 '17 at 13:28
  • Well it is not about encryption mechanisms and not about reading the data out of the .o file on my linux machine. I Want to built an .so file. I exactly followed the tutorial here: https://www.androidsecurity.info/2016/12/15/storing-your-secure-information-in-the-ndk/?utm_source=Android%20Weekly&utm_campaign=aa29d184f9-Android_Weekly_236&utm_medium=email&utm_term=0_4eb677ad19-aa29d184f9-337904097 Is it really true the c++ files cann than be kept in the Android project securely? Or should I remove them and extract that values (within Android code) from the so.-libraries? If yes, how to? – softwaresupply Apr 21 '17 at 13:45
  • 2
    The strings will be no more secret if they're kept in native code compared to Java. – Michael Apr 21 '17 at 16:54

0 Answers0