Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keeping secret key SECRET - within Android app.. any ideas

I have an mcrypt encryption and decryption routine within one of my Android apps. This is essentially decrypting a string which is fetched via. remote call. Naturally the "secret key" is stored within the code, but anyone with apktool can obviously see the code and see my secret key.

Is there anyway to encrypt all the Java code so that even if de-compiled it would not be readable/understandable?

I've heard of ProGuard, but from reading about it, doesn't seem sufficient for this purpose.

like image 320
OmniCoder Avatar asked Oct 31 '11 09:10

OmniCoder


2 Answers

You should never put a secret key inside code. Compiled code can be easily reverse-engineered and anyone with a debugger can hook to the point where the actual key is created. Security always relies on the algorithm, it is assumed that the client code is public and a potential attacker has a copy.

Hiding literals in code just delays the attacker in the process of getting the key, but it doesn't prevent it in any way.

like image 158
Mister Smith Avatar answered Sep 28 '22 22:09

Mister Smith


All code on the client machine can be read. The best you can do is to make it more difficult to find the key.

A suggestion: there will be some text strings in your code, like "Please wait while your request is processing..." Find such a message, and generate a byte array to change that message into your real key by XORing the byte array with the text string.

e.g. "squirrel" XOR [16 1D 10 19 1A 13 0B 18] => "elephant"

Only "squirrel" and the byte array actually appear in your code.

like image 44
rossum Avatar answered Sep 28 '22 20:09

rossum