1

I should encrypt some data before sending them from the app to the server and decrypt it again on the server to work with it. Most encryption and decryption methods need a key to do this. Because of it, I should have a key on the app to handle it.

When you install apps from stores like Google Store, there is some app that can make apk from the installed app.

Now the question is that can hackers convert my apk file to source code and get that key or not?

I these articles

  1. Is there a way to get the source code from an APK file?
  2. How to avoid reverse engineering of an APK file?

It seems the answer is yes, now how can I handle it? What is the common way to handle this scenario?

motevalizadeh
  • 5,244
  • 14
  • 61
  • 108
  • 1
    In public key encryption, the app would use the public key of the server to encrypt. The server would use its private key to decrypt. Therefore, you could keep the public key in an APK file without problems.You only have to keep the private key save. – Axel Kemper Aug 24 '20 at 21:55
  • 1
    "Now the question is that can hackers convert my apk file to source code and get that key or not?" -- yes. "What is the common way to handle this scenario?" -- that depends entirely on your threat model (who the attackers are, what sorts of attacks you are trying to defend against, etc.). The answer may be that there is no need for manual encryption, because you are transmitting the data via HTTPS, for example. Public key encryption, as suggested in the previous comment, may help with some attacks and may not help with others. And so on. – CommonsWare Aug 24 '20 at 21:56
  • @AxelKemper , Can you explain more PLZ, What is this technical name?, You mean the public key on the app is that private key on the server? – motevalizadeh Aug 24 '20 at 22:00
  • 1
    Standard answer: just use HTTPS. – President James K. Polk Aug 24 '20 at 23:30

0 Answers0