33

How to secure string in Android Application ?

Options:

  1. ProGuard: It does not secure string? Does proguard work to obfuscate static string constants?

  2. Encrypt String: for Encryption I need to store encryption key (string) some where and again it's same issue, how to secure encryption key.

  3. Fetch string from web service: But this solution will not work for me, as app don't have internet requirement/access that's requirement/business decision.

  4. NDK: write c file which contain string and return using JNI but I found Hex-Ray decompile to decompile *.so file https://www.hex-rays.com/index.shtml

================================================

Function in C

jstring Java_com_abc_xyz_getString(JNIEnv* env, jobject javaThis) {
  return (*env)->NewStringUTF(env, "Hello String");
}

====================================

Please suggest a best option to secure string in Android SDK/NDK.

Improve this question
7
  • 6
    The short story is that you can only make it difficult to get the string - you cannot make it impossible since any encryption scheme you use will have a key stored on the device. There are many discussions here on SO on how to obsfucate but it's true that obscurity is not security. You have to make it difficult enough to answer the question "is the effort worth the reward"? If you want something to be totally secure, then don't store it on a phone. Commented May 28, 2013 at 5:32
  • What kind of string? Passwords? For what purpose? The best solution for you will depend on what you plan to do with it. Commented May 28, 2013 at 5:44
  • @Simon : I agree on your point, I have tried NDK to make it hard but using hex-rays like decompiler any developer can decompile *.so file and fetch the data,so Any idea how I make it harder to decompile, Commented May 28, 2013 at 5:59
  • @Yoann : I want to store many thing which include encryption key, password, etc... Commented May 28, 2013 at 6:01
  • Using dexguard might help. See stackoverflow.com/questions/14570989/… & stackoverflow.com/questions/11161024/… Commented May 28, 2013 at 6:05

2 Answers 2

Reset to default
7

Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.

So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.

If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.

Perhaps if you could give us the intended workflow, you could get more useful suggestions?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

For String encryption we have created an gradle plugin to hide your keys inside your Android app using the NDK and XOR operator. The goal is to obfuscate your keys to prevent reverse engineering of your app.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.