Menu
My application uses a number of API keys and URLs that I can't allow users to see. I've been putting them directly in the code, sometimes embedded in the method that uses them and sometimes in a class called MyVals that stores commonly used strings and numbers.
e.g.:
public class MyVals {
private LGVals(){}
public static final String DB_URL = "https://mydb.dbprovider.org/";
public static final String DB_Key = "klJF*(oh8iyhkkde";
public static final String TableKey_UserList = "o9w6owifhayf98fnwihj";
}
Is this safe? Does it make a difference if I'm creating my APK with Proguard? What's the best practice for this?
882
It is absolutely not safe to embed sensitive strings into your code. Proguard obfuscates the class and method names, but any defined strings remain completely unchanged. Here's an example from an app that I've run through Proguard. You can see that the method and class names are obfuscated, but the strings (as they must be) are unchanged.
Here is the original code:
public void shutdown() {
if (logger.logDebug()) {
logger.logDebug(LOGTAG, "Queuing shutdown message ...");
}
queueMessage(new BaseMessage(true));
}
And the obfuscated code, easily obtained by JD-GUI:
public void c()
{
if (c.logDebug())
c.logDebug("MsgRouter", "Queuing shutdown message ...");
a(new a(true));
}
If you embed sensitive data in a String in your app, it can and will be decompiled.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
