3

I just have a handful of Strings that I would like to obfuscate/hide against decompilation. I'm aware that I'll never be able to achieve true prevention but I am hoping there are any/some ways that will at least prevent the actual Strings from showing up exactly as they are.

Any help would be much appreciated.

Justin
  • 557
  • 1
  • 7
  • 11
  • 3
    I suggest [ROT13](http://en.wikipedia.org/wiki/ROT13) (: – Niklas B. Mar 30 '12 at 17:22
  • I think this will be done using an obfuscating tool. Theses tools will do much more, getting your code very difficult to understand after decompilation. For example, you can try http://www.yworks.com/en/products_yguard_about.html – Benoit Courtine Mar 30 '12 at 17:35
  • Thanks Niklas! ROT13 seems simple enough! I want to mark your reply as answer but don't know how.. – Justin Mar 30 '12 at 19:48
  • possible duplicate of [hiding strings in Obfuscated code](http://stackoverflow.com/questions/4427238/hiding-strings-in-obfuscated-code) – Graham Borland Aug 02 '12 at 14:59

3 Answers3

3

You can put them in a resource file and encrypt it using AES (for example). Then on the application initialization extract the data.

Eugene Retunsky
  • 13,009
  • 4
  • 52
  • 55
  • That works until someone decompiles your app (easy to do) and obtains the AES key. – Steve Kuo Mar 30 '12 at 18:21
  • You don't have to keep AES key with the sources. There are many ways to keep it secure (e.g. a remote server which performs decryption for authenticated and authorized people/apps). – Eugene Retunsky Mar 30 '12 at 18:35
  • Cool, I do have a remote server at my disposal. I don't know how to go about implementing this system though unfortunately. I also saw this: http://stackoverflow.com/a/2443952/1112835 which includes ".class that are (differently) dynamically generated on the server side." which sounds like it would help with security as well, but don't know what sort of method would allow for dynamic .class file usage...Like what would be in the unique downloaded .class files? – Justin Mar 30 '12 at 19:50
  • just a web service with a single method - decrypt. you can search for encryption with AES in the Internet - there is a lot of materials on this topic. – Eugene Retunsky Mar 30 '12 at 19:51
1

There are a number of free and commercial "java code obfuscators" that change names of non-public API and do simple transformations of string literals. This obfuscation won't stop a determined attacker, but it will discourage casual observation.

erickson
  • 265,237
  • 58
  • 395
  • 493
  • Yep, especially it will stop stuff like `strings *.class` which doesn't require *any* skills at all. – Niklas B. Mar 30 '12 at 17:41
  • 1
    I tried Proguard yesterday, but I still saw my Strings coming up exactly as they were in my code =/ – Justin Mar 30 '12 at 19:48
0

My favorite method is to declare them encoded in base64. Then its just a simple library call to decode the string out of them an use whenever needed. This obfuscates the string and its length both

Danish
  • 3,708
  • 5
  • 29
  • 48