Android storing key, decompiling fear

Question

I'm using amazing FPS and I have to store the secret key in the java code. However I am afraid that someone would decompile my apk and find the key. I have decompiled the apk myself and could not find the key, but I am not a VM expert. Any help?

Answer 1

You can't put your encryption key into your application and expect it to remain a secret. All it takes is for one determined programmer to decompile it and find the key, and they can share it with the world.

Asymmetric/public-key cryptography is exactly the solution you want. Create a public/private key pair, then put the public key in your application and keep the private key yourself. Then you can do two things:

• Your application can encrypt a message using the public key, that can only be decrypted using the private key.
• Or, you can sign a message using the private key, that can be authenticated using the public key in your application.

Answer 2

A determined enough individual will be able to extract your key, and there really isn't that much that can be done about it. You can attempt to obfuscate the keys somehow (raising the bar on how determined they need to be), but you can't keep them from getting the key.

However, depending on why you need to store the secret key, you might be able to use Asymmetric Key Cryptography. You'll be able to store a public key that may be limited to encryption (not decryption) or authentication purposes, while being able to keep the private key safe.