3

I'm trying to find the best way to store private keys in Android app. Proguard is not enough and DexGuard sounds nice but little bit expensive for me..

What most important thing is hiding (or hardening to see) some API access keys in my case. As a result of few days try and error, I found that using C code looks useful.

My questions are...

・Do you think that using C/C++ is good way to hide private keys?

・I'm using Android Studio. Maybe I can use NDK(Native Development Kit). Do you think that NDK is easier way than others? (I've never used NDK)

Thanks,

FYI

How to avoid reverse engineering of an APK file?

Best Practice for storing private API keys in Android

Community
  • 1
  • 1
zono
  • 7,498
  • 19
  • 67
  • 103

1 Answers1

2

it is impossible to save a key safely in a client app. java can be decompiled easily. proguard makes it harder. c++ seems much harder, but not impossible to decompile. so you have to be aware of that some hackers can find any key if you save it in client app.

easiest way, open your lib and try to search your key as text. most probably, you will see it somewhere in binary file

Adem
  • 9,146
  • 8
  • 39
  • 57
  • Thanks Adem. Yes, totally agree with you. But "much better" is OK in my case. – zono Dec 02 '14 at 07:30
  • yes. it is not easy. I think it would be good to apply some filter on keys. don't leave it as plain format in c++ code – Adem Dec 02 '14 at 07:31
  • Opening lib... Interesting. I never thought it.. – zono Dec 02 '14 at 07:32
  • if you write it plain format like , std::string key("some key"); you most probably see it as text format – Adem Dec 02 '14 at 07:33
  • Ok. I will write encoded string with key for decode.. – zono Dec 02 '14 at 07:36
  • I may have to consider that someone call the C library's method. Some restrictions to call are needed.. – zono Dec 02 '14 at 07:41