How secure is proguard against reverse engineering?

Question

I will be working with very sensitive data in an app. Obfuscation by my definition is not added security, it will only delay the cracker with finite time. Is it possible that Proguard does this so well it may be called added security?

What is most sensitive are some network calls. It will be hard to sniff the password because we will generate the password on both sides and check it's validity with timestamps. Problem is the app may be reverse engineered and the generate algorithm may be exploited.

It is not possible to keep the algorithm locally in a file because with a rooted phone the cracker may be able to retrieve it. It does not work to download the algorithm from the server because the same problem applies here, if the cracker reverse engineer the app he/she will be able to see where the algorithm is taken from.

Any input on how to proceed is greatly appreciated!

Edit

What I am trying to protect is the generate algorithm so the cracker may not send a lot of data to our server.

Answer 1

Generally, You can make the crackers life harder. The harder you make it, the fewer will remain. Especially if the financial incentive is limited.

Your code obfuscation options are:

• Use proguard, it does a good job, not perfect of course, but good
• Use DexGuard, which can make reverse engineering even harder, like by encrypting strings, or detecting code tampering
• Write critical parts in C

Regardless of code obfuscation, make your network protocol also hard to mess around with: encrypt and sign messages, make sure messages can not be repeated (by using time or a sequence), and authenticate the client

Don't save on disk any clear texts that are sensitive.