Securing string in APK

Question

I am developing an android app using Mono for Android by Xamarin. I am currently working on adding in-app-purchase capability using the Google Play API. To do so, I need to send Google the public license key from within my app. Regarding this issue, Google recommends the following:

Security Recommendation: It is highly recommended that you do not hard-code the exact public license key string value as provided by Google Play. Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store, before passing it to the constructor. This approach makes it more difficult for malicious third-parties to modify the public license key string in your APK file.

I have never dealt with encryption, hacking/cracking or any of other facet of software security, so I am not sure how to implement Google's advice. My question is how does one adequately secure a string in an Android APK made with Mono for Android without having to be a security expert?

Answer 1

Not to sound too bold, but I believe you can safely ignore their suggestion. The security benefits of what they're suggesting are minimal at best.

For a more detailed discussion read this: How to protect Google Play public key when doing InApp Billing

The truth is that none of the methods described there are perfectly secure. If someone is determined to figure your public key out, they will. No matter what you do, the public key will end up being passed to the ctor, so a malicious user could always examine it at this point. All the "games" they are suggesting are just making this a bit more difficult, but definitely not impossible.

I think your best bet is accepting this for what it really is. This key is public for a reason and you need to live with the fact that it could be compromised easily. Since everybody else sleeps well at night knowing this, I see no reason why you shouldn't as well :)

If you really can't sleep at night and want to do something.. Place your key in your code with the first two characters switched. Then during runtime, switch the two characters back before using the key. This should be enough to protect yourself against brute force automated attacks.. Intelligent attacks you can't do anything about.

Edit:

If you're looking for an industry standard way to protect your code, use a commercial obfuscator. These tools are designed for this purpose. Some examples are Mono for Android, code obfuscation. Make sure to use fully featured commercial versions that include string encryption.