Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure string in Android Application?

How to secure string in Android Application ?

Options:

  1. ProGuard: It does not secure string? Does proguard work to obfuscate static string constants?

  2. Encrypt String: for Encryption I need to store encryption key (string) some where and again it's same issue, how to secure encryption key.

  3. Fetch string from web service: But this solution will not work for me, as app don't have internet requirement/access that's requirement/business decision.

  4. NDK: write c file which contain string and return using JNI but I found Hex-Ray decompile to decompile *.so file https://www.hex-rays.com/index.shtml

================================================

Function in C

jstring Java_com_abc_xyz_getString(JNIEnv* env, jobject javaThis) {   return (*env)->NewStringUTF(env, "Hello String"); } 

====================================

Please suggest a best option to secure string in Android SDK/NDK.

like image 477
Ketan Parmar Avatar asked May 28 '13 05:05

Ketan Parmar


People also ask

How do you encrypt data in Android?

To get started, go to Settings > Security > Encryption > Screen lock. Select the PIN option and enter a PIN. The Android device is ready to be encrypted. Use the settings menu to open the encryption screen below by following Settings > Security > Encryption > Encrypt tablet or Encrypt phone.


2 Answers

Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.

So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.

If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.

Perhaps if you could give us the intended workflow, you could get more useful suggestions?

like image 57
LarryN Avatar answered Oct 09 '22 08:10

LarryN


For String encryption we have created an gradle plugin to hide your keys inside your Android app using the NDK and XOR operator. The goal is to obfuscate your keys to prevent reverse engineering of your app.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

like image 29
Ben-J Avatar answered Oct 09 '22 10:10

Ben-J