I am making an Android App where the user has the choice to contact me in case he needs support, the App itself contains a built-in contact form, when the user fills in his message the app will then send me an email, to do so, i have created a Google Account and instructed the app to login to that account using "SMPT" and send the email to my personal mail. So the contact form in the app is like a Mini Email App which can only send to my personal email. For that i had to add the Google acc email and password in a Java Class file, so basically if a user decompiles the app and opens the java class file, he will find: String username = "myemail@gmail.com" String password = "my password" Now is there a way i can make that java class hidden when the app is decompiled? Please don't suggest to change the way a user can contact me, because when a user contacts me, the app sends sensitive data embedded in the email, so i can provide support to the user, so basically trying to change this type of contact, will either result in me having to show the user this sensitive data and ask him to send it with the email outside the app, or i will have to discard the data which is vital for the support, so the only way a user can contact, is the one described above, now how can i hide the java class file from being seen by people who decompiles the app? Thanks in advance!
-
2Possible duplicate of [How to protect Java codes against decompiler?](https://stackoverflow.com/questions/1879061/how-to-protect-java-codes-against-decompiler) – Wai Ha Lee Feb 18 '18 at 21:17
-
This thread is discussing java classes on computers, i need something that can be embedded in an Android App – EpicDragon 68 Feb 18 '18 at 21:20
-
1The duplicate applies. The principle is the same. – Mark Benningfield Feb 18 '18 at 22:05
1 Answers
Now is there a way i can make that java class hidden when the app is decompiled?
No.
At best, using commercial tools like DexGuard, you can make it a bit more difficult for attackers to get the strings, but it is not that difficult for somebody to defeat those tools.
because when a user contacts me, the app sends sensitive data embedded in the email
Do not send sensitive data via email. Send it to your Web service over an SSL connection, using certificate pinning to help block man-in-the-middle (MITM) attacks.
will either result in me having to show the user this sensitive data
It is the user's data, so it is perfectly reasonable for the user to see that data. After all, it is the user's device, the user's battery, the user's bandwidth, and the user's time. Your app is only a small piece of the puzzle, at best.
so the only way a user can contact, is the one described above
No, it is not.
now how can i hide the java class file from being seen by people who decompiles the app?
You can't.
- 910,778
- 176
- 2,215
- 2,253
-
Ok thanks! And for the part of showing the user his data, is perfectly normal however when i ask him to send it, he may attempt to modify it and i will have no clue if he does, that's why, anyway thanks for your answer! – EpicDragon 68 Feb 18 '18 at 21:25
-
Then you need to make sure that the data being sent can't be tampered with without you knowing, for example via a checksum. Basic rule of client/server programming: you can never trust the data coming from the client. – SeverityOne Feb 18 '18 at 21:45