2

Sometimes we need to store in code some String that we want to protect, such as the App Id in Google Play, a third party API key, an secret seed for creating a hash, etc.

To protect this Strings sometimes developers obfuscate them with XOR operations or other techniques (ie: XOR operation with two strings in java).

If we run Proguard before releasing the code, as it performs a fairly sophisticated optimisation of the code, I guess it can resolve the final String, ending in shipping the String un-obfuscated in the released apk.... Is this true?

That would be funny, instead of obfuscating the code Proguard would de-obfuscate manually-obfuscated data...

How do you people target this? Do you exclude the classes with the obfuscated String in proguard.cfg?

Improve this question
1
  • 1
    No matter what you do to the string in the code, doesn't it eventually get converted to plaintext in memory and sent to whatever function needs it in plaintext? Anyone inspecting the memory of your application may be able to view this. Just a thought. Commented Jul 30, 2013 at 14:42

1 Answer 1

Reset to default
2

I have experimented with String obfuscation using simple techniques such as Base64 or XOR. From my experience Proguard is not able to de-obfuscate the manually obfuscated data, even with optimization enabled.

You could try to decompile your own sourcecode after exporting your project with Proguard enabled using tools like APKtool, Dex2jar, etc. Then you should see whether the String was de-obfuscated or not.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.