In my current Android (Java) program, I have passwords for server access and the urls of my server. Is there any way to use an obfuscator to protect this info from being revealed through decompiling? (The info is held in string vars)
Asked
Active
Viewed 416 times
0
-
https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/ – esQmo_ Aug 19 '18 at 21:10
2 Answers
1
The idea is to encrypt the password/urls to an unknown hash which can't be recognized by decompilers and people who are interested in checking application's decompiled codes then on the Java side, decrypt the hash.
You also can use ProGaurd : Best practice for storing and protecting private API keys in applications
ʍѳђઽ૯ท
- 16,646
- 7
- 53
- 108
1
Keeping the password in source code is a bad practice.
I would suggest you to use an authentication service which will get the password.
whenever it is requested.
Hint:- It can be a app based or login based authentication.
So only way you can fully protect your password is to not use it in source code.
Keep the simple authentication service running on your server and get the credentials from the same.
Though it will increase your headache but it will be mighty effective in making your application more stronger and scalable.
Here is the high level design that might be possible:-
Still It is not fully protected as attacker might contact authentication service to get credentials using source code. But this can be protected by allowing requests only from specific machines.
Omkar Mozar
- 149
- 1
- 11