Menu
I have an mcrypt encryption and decryption routine within one of my Android apps. This is essentially decrypting a string which is fetched via. remote call. Naturally the "secret key" is stored within the code, but anyone with apktool can obviously see the code and see my secret key.
Is there anyway to encrypt all the Java code so that even if de-compiled it would not be readable/understandable?
I've heard of ProGuard, but from reading about it, doesn't seem sufficient for this purpose.
320
You should never put a secret key inside code. Compiled code can be easily reverse-engineered and anyone with a debugger can hook to the point where the actual key is created. Security always relies on the algorithm, it is assumed that the client code is public and a potential attacker has a copy.
Hiding literals in code just delays the attacker in the process of getting the key, but it doesn't prevent it in any way.
158
All code on the client machine can be read. The best you can do is to make it more difficult to find the key.
A suggestion: there will be some text strings in your code, like "Please wait while your request is processing..." Find such a message, and generate a byte array to change that message into your real key by XORing the byte array with the text string.
e.g. "squirrel" XOR [16 1D 10 19 1A 13 0B 18] => "elephant"
Only "squirrel" and the byte array actually appear in your code.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
