Obfuscate Assets in Android APK

Question

We can obfuscate android APK using Proguard in Android Studio which will obfuscate only java files in it.

Issue: I want to obfuscate my files stored in Assets folder also.

Solution: We can use Dexguard which requires license and all.

Can some one point out any free/open source alternative?

Answer 1

Short answer : The best alternative is for you to create your custom encryption system.

You can, under normal circumstances, run a gradle script (before building the apk) that encrypts your files with a key that is only present on your computer.

If your application has some sort of login system, as soon as you receive success from the login, you can retrieve the key from that same login response and decrypt the files.

Keep in mind that you should pass the files into the Internal Storage of your application before decrypting (as you cannot modify the contents of the files directly on the assets folder).

If your application does not use the internet, and therefore you cannot obtain the encryption/decryption key through a service, you can store it on a bytearray or random named string.

It will under no circumstance prevent the app from being cracked and the files decrypted, but will for sure add another layer of difficulty to anyone who tries to hack it.

Answer 2

In principle, if the information is visible to the regular user of the application, it must be visible to anyone attacking the .apk, and the .apk can obtain anyone with the same privileges as regular user. So in case your app is for general public and available through google store, it's readable to anyone. Obfuscation, encryption with local key, etc... all these will slow down attacker (or even hold up against weak attacker), but in principle if enough skilled attacker will invest enough effort into attack, he will break whatever you put there.

Obfuscation is just preventing low-level attackers from gaining access.

---

(answer) That said, you load your asset files in Java by yourself?

Then you can encrypt them with some key, which will be hardcoded + obfuscated inside the .java code, thus only people capable to disassemble .dex files and understand your key, will be able to decrypt your assets (or there's other way, taking control over VM running your .apk, wait till your application loads and decrypts the asset, and attack them by dumping it from VM in decrypted form, this may be sometimes easier, if the decryption code is really tricky and hard to understand).

For any decent encryption use 3rd party library (feel free to mix it up with your own solution, but don't expect to create some strong cypher scheme on your own, takes quite some effort to create anything reasonably strong), actually java and Android has by default several "security" providers with common strong cypher schemes implemented.

But if you don't want some information to leak, then never upload that information to user's device, and don't show it to user.

---

For example - this is why the movie industry effort to protect movies is so funny.. they want both, which is in principle impossible, and they go great lengths to make it harder, which means the mankind wasted quite some money and effort on producing things like end-to-end encrypted HDMI playback and even the cable costs fortune as it can't be a simple cable of wires for this.