Good Practice: How to handle keystore passwords in android/java? [duplicate]

Question

Assuming that a password for a keystore is not supplied by or bound to a user password (which more or less means its just a String or Array[] in the code somewhere), is it a sufficient protection that it just cannot or can only hardly be extracted out of the bytecode?

I know that the password for a keystore (JKS / BKS) is just used to verify the integrity of the keystore. Furthermore it is totally clear that I have to assume that an application runs in a more or less trusted environment to be "secure". But anyhow, is it possible to extract the password just from the apk file?

It just feels wrong to hardcode any password within the source of an application, so maybe there are some ideas, how to make it actually less threatening. E.g. would it be better to make the password configurable within an external configuration file or generate it randomly during installation of the app (and where should it then be stored)?

Answer 1

is it a sufficient protection that it just cannot or can only hardly be extracted out of the bytecode?

"Sufficient" is a subjective term; only you can determine what you feel is sufficient for you.

is it possible to extract the password just from the apk file?

Yes, as APK files can be decompiled, unencrypted network conversations can be sniffed, etc.

how to make it actually less threatening

You can buy a license for DexGuard and use it, as that will encrypt hard-coded strings like your password. Whether that is worth the extra defense is your decision.

would it be better to make the password configurable within an external configuration file

Anyone who roots the device could get at the file.

or generate it randomly during installation of the app (and where should it then be stored)?

It would be stored somewhere that is available to rooted device users, at minimum.