2

I am placing my secretkey in strings.xml. I checked by reverse engineering with apktool and I got my strings.xml file as R$string.smali when I checked in that file to see whether key is visible or not then i found my key string as

# static fields    
.field public static final secretkey:I = 0x7f0a0035

Is there any possibility of fetching the key from this id or any other process is there to fetch my secretkey from strings.xml file.

Improve this question
6
  • 2
    You should expect that there is somebody else who is at least as clever as you. So if you are going to distribute this application, anybody could do the same and discover your secret key in the process. Commented May 7, 2013 at 15:01
  • So there's no point in encryption etc. at all, because somebodys gonna be more clever anyways? Come on ... Commented May 7, 2013 at 15:06
  • using tools like apktool you can get all resource files from apk and I'm pretty sure that this include string.xml file too in clear way. Commented May 7, 2013 at 15:08
  • As Igor say, never store a secret key in strings.xml or in the code. You can generate on the phone or get it from a server at the first launch of the app. Commented May 7, 2013 at 15:11
  • thxs guys for replies, but i m asking you straight forward question whether key can be fetch from that id. Commented May 7, 2013 at 15:32

2 Answers 2

Reset to default
1

You should not store secret key in strings.xml

More secure options are: SharedPreferences or internal storage with mode write localy. In most cases I suggest generate key on the phone. So every phone will have thir uniq key.

But remember there are no absolute security, rooted phone user can do anything with his phone.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

as my algorithm was developed with a process of encrypting by combining two keys and a message which should be same exactly at server side. its a difficult process to decode, but the problem is to store one of the key while connecting to server in the application itself. make some clear suggestions.
0

  1. Try Constructing the key at runtime. Bit manipulation / shuffling the key can be one way of doing this.

  2. Have a customized encryption and decrypt the key at runtime.

  3. If you can afford, you can get the key from a server.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.