3


I have an Android application and within it some strings which I send through htpps. Is it possible to encrypt those hardcoded strings (such as for example passwords) in Android application to be unreadable from the apk file?
Regards,

Eric
  • 1,685
  • 1
  • 17
  • 32

3 Answers3

2

So if I understand your question correctly, you want to store encrypted strings within the Android apk file (in strings.xml for example). If this is the case, yes, you can absolutely store encrypted strings wherever you please.

The kicker is that in order to decrypt these strings, you'll need a key. Wherever you end up storing the key becomes the weak link in this chain. If your app is reverse engineered and someone gets a hold of the key, your strings are no longer encrypted.

So to answer your question, no, it's not possible to do what want.

Marvin Pinto
  • 30,138
  • 7
  • 37
  • 54
  • Great answer. Quoting Bruce Schneier: "Key management is the hardest part of cryptography and often the Achilles’ heel of an otherwise secure system.". This is exactly the case here. – Bitcoin Cash - ADA enthusiast Oct 19 '13 at 07:56
1

Check out What is the most appropriate way to store user settings in Android application and a whole bunch of other question. Basically you can obfuscate and encrypt to some extend but you will never be completely safe on a rooted device and against network sniffing attacks. That said though that applies everywhere.. find your best compromise between level of effort to implement and crack and the data you are protecting.

Community
  • 1
  • 1
Manfred Moser
  • 29,539
  • 13
  • 92
  • 123
0

I think you should explain what do you want to do with this strings. If you want just send password to server and make some kind of authorization, you can use MD5 or some other hash function to hide thode values. Hashed password can be compared with hashed password at the server side. If you want to send encrypted text and decrypt it at the receiver side then you have to use some encryption algorithm, e.g. DES (some kind of encrypting key will be needed).

Kamil
  • 2,712
  • 32
  • 39
  • On the server I have a folder with php scripts which is protected by the user name and the password. I'm sending those values through https to execute my scripts from my Android's app. The problem is of course that they exists in pure form in my apk file, so everybody can read them out with a blink of an eye. – Eric Jan 24 '12 at 00:08