Protect string constant against reverse-engineering

Question

I have android application that has hard coded (static string constants) credentials (user/pass) for sending emails via SMTP.

The problem is that .dex file in .apk can be easily reverse-engineered and everybody can see my password.

Is there a way how to secure these credentials, while i will still be able to use them in my classes?

@Richard H, I think if he has to reuse the credential, hashing is no possible? — user802421, Sep 15 '11 at 19:10
If he hash them how can he unhash login/pass to send it to SMTP server? If it would be two-way function it would be easily decrypt. If it would be hash that reqire salt/key he would need to hash it too. [THERE](http://stackoverflow.com/questions/1249973/decompiling-dex-into-java-sourcecode)'s even thread about decompiling DEX to sourcecode. — Y.A.P., Sep 15 '11 at 19:13
@Y.A.P - yeah sorry I didn't appreciate that two-way encryption was required. — Richard H, Sep 15 '11 at 19:56

score 6 · Answer 1 · answered Jun 27 '16 at 10:00

6

We can use "jni module" to keep 'Sensitive Hardcoded Strings' in the app. when we try to reverse engineer APK file we get lib folder and .so files in respective process-folders. which can not decrypt.

answered Jun 27 '16 at 10:00

Anuj Jindal

1,711
15
24

2

i can still see strings in .so files. – Grishma Ukani Mar 21 '18 at 10:20

score 4 · Answer 2 · answered Sep 15 '11 at 19:26

You can save your string obfuscated by AES.

In Licensing Verification Library you can find AESObfuscator. In LVL it is used to obfuscate cached license info that is read instead of asking Android Market to find out application is licensed or not. LVL can be downloaded as component of SDK.

score 3 · Answer 3 · answered Sep 15 '11 at 19:01

3

I guess you can try a code obfuscator, but really that won't make your password 100% secure and I don't know how well it goes along with the android compiler. Why not use a secured web authentication , like that of Google?

answered Sep 15 '11 at 19:01

Shivan Dragon

15,004
9
62
103

2

I think obfuscator won't change the content (the credentials) of the String. The content needed to be encrypted first. But as you said, better web auth. – user802421 Sep 15 '11 at 19:13
ProGuard (the obfuscation tool provided by default by the Android SDK) doesn't encrypt nor obfuscate strings. DexGuard does encrypt strings, but it's a bit expensive. – AxeEffect Jul 03 '14 at 11:53

Amir Ziarati · Answer 4 · 2018-09-17T08:46:46.100

doing these would be useful:

1- you can encrypt them and obfuscate the encrypting algorithm. any encryption along with obfuscation (progaurd in Adnroid) is useful.

2- you better to hardcode your strings as byte array in your code. many reverse engineering applications can get a list of your hardcoded strings and guess what they are. but when they are in form of byte array they are not readable. but again Proguard is necessary. (it only hides from RAM string constant searching and they are still searchable from .class file)

3- using C++ code to host your constant is not a bad idea if you encrypt them before hardcoding and decrypt them using C++ code.

there is also a great article here :

https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

score 2 · Answer 5 · answered Sep 15 '11 at 19:35

2

Hashing is not possible since it is not two way.
Any encryption such as AES, DES, blowfish, etch is not a viable solution as you have to include the decryption part within your app and that can be decompiled with a combination of apktool, dex2jar and JD (java decompiler) which is a very powerful combo while decompiling any apk.
Even code obfuscators don't do anything except make life a little more difficult for the decompiling guy, who'll eventually get it anyways.

The only way which I think would work to an extent would be to host the credentials on a server which only your application can access via a web-service call through a separate authentication of some kind - similar to FB's hash key thing. If it works for them, it should work for us.

answered Sep 15 '11 at 19:35

Ashok Goli

5,043
8
38
68

10

...which brings the question if how the server will distinguish "only your application" access from hacker's access. – Eugene Mayevski 'Callback Sep 15 '11 at 19:45
3

Right, you are stuck again - this way. – Yugal Jindle Jan 02 '12 at 15:53
@EugeneMayevski'EldoSCorp Any improvement? – iraycd Feb 04 '15 at 22:07

score 2 · Answer 6 · answered Sep 19 '11 at 15:26

2

I was looking into a similar problem and came across this useful thread: http://www.dreamincode.net/forums/topic/208159-protect-plain-string-from-decompilers/

I'm not too familiar with Android development, but the same ideas should apply.

answered Sep 19 '11 at 15:26

KLing

195
1
10

Great lnik! That is a very interesting idea – Freedom_Ben Jun 13 '13 at 16:34

score 1 · Answer 7 · answered Sep 15 '11 at 19:59

If you do not have the means to do a web authorization you will need to include the third party decryption with you application.

This is what you could try 1) Write a standalone program only to create a password hash one time. (This program should not be a part of your app). Make a note of the hash that was generated. http://www.mindrot.org/projects/jBCrypt/

 // Hash a password for the first time.
    String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));

2) Store this password hash as a String constant in you APK.

3) Then every time you need to check the password, compare with the hashed password, using bcrypt.

// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
    System.out.println("It matches");
else
    System.out.println("It does not match");

jBCrypt is a single java file and it can be directly included in your application. It is considered one of the strongest encryption algorithms for passwords. Even through the decryption algorithm is present in you APK, trying to break this is very time consuming details of which can be read in the article below.

Read this article for details and security of bcrypt.
http://codahale.com/how-to-safely-store-a-password/

Again, use this only if you do not have the means to do web based authentication.

But he seems to need the original pwd instead of the hashed pwd for the smtp authentication. How can we reverse that? — Ashok Goli, Sep 15 '11 at 20:46
What about the `candidate` string? Or I'm missing something or this answer is useless. — AxeEffect, Jul 03 '14 at 11:48

score 0 · Answer 8 · edited Sep 05 '16 at 12:59

0

One way you can 100% secure you hard-coded string. Firstly don't use pro-guard use allatori Link: http://www.allatori.com/

And secondly don't take you hard coded string in any variable just use that string like this:

if(var=="abc"){}

"abc" is exampled hard coded string.

Allatori fully obfuscate all string that are used in code like above.

Hope it will help for you.

edited Sep 05 '16 at 12:59

Smittey

2,475
10
28
35

answered Sep 05 '16 at 12:34

Muhammad Noman

1,842
19
14

score 0 · Answer 9 · answered Sep 16 '11 at 06:21

0

Use some kind of trivial encryption or cipher that only you (and your code) understand. Reverse the string, store it as array of integers where you need to take the mod of 217 or something silly to find the real password.

answered Sep 16 '11 at 06:21

brianestey

8,202
5
33
48

Protect string constant against reverse-engineering

9 Answers9

Linked