32

How to secure string in Android Application ?

Options:

  1. ProGuard: It does not secure string? Does proguard work to obfuscate static string constants?

  2. Encrypt String: for Encryption I need to store encryption key (string) some where and again it's same issue, how to secure encryption key.

  3. Fetch string from web service: But this solution will not work for me, as app don't have internet requirement/access that's requirement/business decision.

  4. NDK: write c file which contain string and return using JNI but I found Hex-Ray decompile to decompile *.so file https://www.hex-rays.com/index.shtml

================================================

Function in C

jstring Java_com_abc_xyz_getString(JNIEnv* env, jobject javaThis) {
  return (*env)->NewStringUTF(env, "Hello String");
}

====================================

Please suggest a best option to secure string in Android SDK/NDK.

Community
  • 1
  • 1
Ketan Parmar
  • 2,820
  • 17
  • 27
  • 5
    The short story is that you can only make it difficult to get the string - you cannot make it impossible since any encryption scheme you use will have a key stored on the device. There are many discussions here on SO on how to obsfucate but it's true that obscurity is not security. You have to make it difficult enough to answer the question "is the effort worth the reward"? If you want something to be totally secure, then don't store it on a phone. – Simon May 28 '13 at 05:32
  • What kind of string? Passwords? For what purpose? The best solution for you will depend on what you plan to do with it. – Yoann Hercouet May 28 '13 at 05:44
  • @Simon : I agree on your point, I have tried NDK to make it hard but using hex-rays like decompiler any developer can decompile *.so file and fetch the data,so Any idea how I make it harder to decompile, – Ketan Parmar May 28 '13 at 05:59
  • @Yoann : I want to store many thing which include encryption key, password, etc... – Ketan Parmar May 28 '13 at 06:01
  • Using [dexguard](http://www.saikoa.com/dexguard) might help. See http://stackoverflow.com/questions/14570989/best-practice-for-storing-private-api-keys-in-android & http://stackoverflow.com/questions/11161024/obfuscating-resource-strings-that-may-give-away-too-much-information-about-progr – devnull May 28 '13 at 06:05
  • Please clarify: you want to write an open source application which would persist user's credentials ( not only of Android / Google accounts ) and retrieve it securely, but as long as its open source - disable access to the same data for other apps, including on rooted phones? :) – Zilvinas May 28 '13 at 13:51
  • What are you trying to secure against? Device being stolen? Other apps on the same device (which might be rooted)? – Seva Alekseyev Nov 17 '16 at 16:34

2 Answers2

7

Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.

So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.

If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.

Perhaps if you could give us the intended workflow, you could get more useful suggestions?

LarryN
  • 195
  • 8
1

For String encryption we have created an gradle plugin to hide your keys inside your Android app using the NDK and XOR operator. The goal is to obfuscate your keys to prevent reverse engineering of your app.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

Ben-J
  • 839
  • 6
  • 21