Protect string constant against reverse-engineering

Question

I have android application that has hard coded (static string constants) credentials (user/pass) for sending emails via SMTP.

The problem is that .dex file in .apk c

Answer 1

doing these would be useful:

1- you can encrypt them and obfuscate the encrypting algorithm. any encryption along with obfuscation (progaurd in Adnroid) is useful.

2- you better to hardcode your strings as byte array in your code. many reverse engineering applications can get a list of your hardcoded strings and guess what they are. but when they are in form of byte array they are not readable. but again Proguard is necessary. (it only hides from RAM string constant searching and they are still searchable from .class file)

3- using C++ code to host your constant is not a bad idea if you encrypt them before hardcoding and decrypt them using C++ code.

there is also a great article here :

https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/