Obfuscation: hide hardcoded values in java [duplicate]

Question

Possible Duplicate:
hiding strings in Obfuscated code

I'm trying to hide a little some static Strings of my app in order to make it harder to decompile, this way like the constants like cipher algorithms names are harder to find in the obfuscated code.

I've considered things like:

String CONCAT= "concat"+"string";
String RAW_STRING= "raw_string";
String FROM_BYTES=new String("from_bytes".getBytes());
String FROM_CHARS=new String(new char[]{'f','r','o','m','_','c','h','a','r','s'});
String FROM_CHAR2=new String(new char[]{102,114,111,109,95,99,104,97,114,115,95,50});

And the last two options seems to be "darker" than the raw option but I imagine there are better ways for doing this.

How can I improve this? Thanks

Answer 1

For one, you shouldn't just write

String FROM_CHAR2=new String(new char[]{102,114,111,109,95,99,104,97,114,115,95,50});

It's a dead give-away that the char array is actually a String.

You can do a combination of the followings:

1. put your "String" in an int[] array
2. or even better, break your String into several int arrays
3. calculate/manipulate the array's values at various stage of the application, so its value will only become valid at a certain interval during a runtime, guaranteeing that it won't be deciphered at a curious glance by decompiling your code
4. passes the array(s) back and forth, through local variables, back to instance variables, etc, before finally converting the arrays to a single array to be passed to the String constructor
5. immediately set the String to null after use, just to reduce the amount of time the actual String exist at runtime

Answer 2

I would prefer to set the value in the static (class) initializer using an decryption algo Something like

class ...
  String CONCAT;

  static {
     CONCAT = uncrypt ("ahgsdhagcf");
  } 

where uncrypt might be really a good unencryption algo or somewhat weaker a base64 decode.

In any case you need a simple program to encode your string first.