Is there a more secure way to store sensitive string in an Android project?

Question

In my Android project, I want to keep my web service address unknown. I store the link as follows:

private final String SERVICE_LINK = "mywebservicelink..."

But since I saw that APK's can be decompiled, I wonder if this link can be known.

How can I store it securely?

Thanks.

Answer 1

You can set sensitive string in your gradle.properties

https://docs.gradle.org/current/userguide/build_environment.html#sec:gradle_properties_and_system_properties

For example:

in your gradle.properties (usually located in your root project), you can define:

SERVICE_LINK = "mywebservicelink"

Then in your application's build.gradle

android {
   ...
   defaultConfig {
       resValue "string", "service_link", SERVICE_LINK
   }
   ...
}

Then, this service link will be ready in your resource as R.string.service_link. That is, you can simply get the value by doing:

getString(R.string.service_link);

EDIT 1:

If you're asking about how to hide your strings in your APK, then you can use ProGuard. However, be advised. Whatever you put into your source code, there's no 100% guarantee that it cannot be reverse-engineered. ProGuard will obfuscate your code, which will make reverse-engineering harder significantly.

For more information, this thread is awesome: How to avoid reverse engineering of an APK file?

Answer 2

You can assign value of SERVICE_LINK variable after doing some operations, instead of assigning directly. For example using string operations with a few meaningless strings, getting characters or substrings from some specific positions, getting some characters from ASCII code obtained by some arithmetic operations etc. may be helpful for the purpose.

This provides a complexity so that third party people don't find your constant value easily. They may think it's a dynamic value varying on run time, or something unrelated. But if it was in " " directly, it would be found easily.