-1

I have a constant - arraylist in my app.

Example:

private String [] word = {"A","B" };

I used pro-guard but when I tried by doing reverse engineering, I can get the arraylist. I have to type more than 2400 words and one can get the arraylist just by doing reverse engineering. Please give a solution to ensure that no one can get the arraylist. Can I put arraylist in build.gradle or anywhere to make it safe?

Lino
  • 5,084
  • 3
  • 21
  • 39
lavedar
  • 19
  • 3
  • 2
    "Please give e solution to ensure that no one can get the arraylist" probably not what you wanted to hear, but that's not possible. Any program will be cracked by a sufficiently motivated adversary. – Federico klez Culloca Jan 15 '20 at 09:50
  • So there is no way to make it safe? We can put string in build:gradle and we can also retrieve it. – lavedar Jan 15 '20 at 09:54
  • 2
    @lavedar: if the data is in the binary that you give the user to run, then the data is in a file that the user can read. It could be obfuscated or made *harder* to get to, but you can't make it inaccessible, since that would also make it inaccessible to your code. The easiest way to make sure the user can't possibly see some data is to *not give it to them*. I.e. put the data on some server, run any manipulation on that server and only hand data to the user that *you actually want them to have*. – Joachim Sauer Jan 15 '20 at 10:18
  • 1
    If you want to save sensitive information, try using [AES encryption/decryption](https://stackoverflow.com/questions/6788018/android-encryption-decryption-using-aes) – Rahul Gaur Jan 15 '20 at 11:22
  • 1
    @RahulGaur: if your code can decrypt and use the data locally on the phone, then so can anyone decompiling your code. It's just glorified obfuscation in this case. – Joachim Sauer Jan 15 '20 at 15:24

1 Answers1

0

You need to develop a utility (example other java app) that you are not going to distribute that encodes your array of strings as a cyphered or at least ofuscated array of bytes or chars or as a String. If you need to edit the list you are going to edit and update this not-released app.

Then run it and get the encoded/encrypted data and copy that data into your released app, so it became hidden between all the code. You can even split the encoded data in several different locations.

Then implement in your released app the code for extract and decode a word from that list (only one at a time, perform the actions your need and go for the nextone, if you decode all the words you are exposing the list as well, its difficult to locate because is in memory but... it will exist in decoded state.

All this does not guarantee 100% protection (as probably you are going to include decrypting keys and algorithms on your released app), but increases dramatically the difficulty to extract the whole list from your app, which I assume is that you want.

Also, do not store your encoded list into a file because usually it makes more easy to locate. If you want to use a server you need to avoid transfering the whole list (only a word at a time), you need to protect the API from abuse (too much requests) and this will be slowly than the other option, and prone to automatic extract diggers. It average the server solution is harder to implement than the firstone.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user1039663
  • 1,230
  • 1
  • 9
  • 15