发表新帖
发表新帖

Protect string constant against reverse-engineering

前端 未结
关注
9 1769
借酒劲吻你
借酒劲吻你 2020-12-09 15:49

I have android application that has hard coded (static string constants) credentials (user/pass) for sending emails via SMTP.

The problem is that .dex file in .apk c

相关标签:
9条回答
  • 醉话见心
    2020-12-09 16:10

    doing these would be useful:

    1- you can encrypt them and obfuscate the encrypting algorithm. any encryption along with obfuscation (progaurd in Adnroid) is useful.

    2- you better to hardcode your strings as byte array in your code. many reverse engineering applications can get a list of your hardcoded strings and guess what they are. but when they are in form of byte array they are not readable. but again Proguard is necessary. (it only hides from RAM string constant searching and they are still searchable from .class file)

    3- using C++ code to host your constant is not a bad idea if you encrypt them before hardcoding and decrypt them using C++ code.

    there is also a great article here :

    https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

    0 讨论(0)
  • 野性不改
    2020-12-09 16:20

    One way you can 100% secure you hard-coded string. Firstly don't use pro-guard use allatori Link: http://www.allatori.com/

    And secondly don't take you hard coded string in any variable just use that string like this:

    if(var=="abc"){}

    "abc" is exampled hard coded string.

    Allatori fully obfuscate all string that are used in code like above.

    Hope it will help for you.

    0 讨论(0)
  • 故里飘歌
    2020-12-09 16:22

    Use some kind of trivial encryption or cipher that only you (and your code) understand. Reverse the string, store it as array of integers where you need to take the mod of 217 or something silly to find the real password.

    0 讨论(0)
  • 难免孤独
    2020-12-09 16:23

    You can save your string obfuscated by AES.

    In Licensing Verification Library you can find AESObfuscator. In LVL it is used to obfuscate cached license info that is read instead of asking Android Market to find out application is licensed or not. LVL can be downloaded as component of SDK.

    0 讨论(0)
  • -上瘾入骨i
    2020-12-09 16:24
    1. Hashing is not possible since it is not two way.
    2. Any encryption such as AES, DES, blowfish, etch is not a viable solution as you have to include the decryption part within your app and that can be decompiled with a combination of apktool, dex2jar and JD (java decompiler) which is a very powerful combo while decompiling any apk.
    3. Even code obfuscators don't do anything except make life a little more difficult for the decompiling guy, who'll eventually get it anyways.

    The only way which I think would work to an extent would be to host the credentials on a server which only your application can access via a web-service call through a separate authentication of some kind - similar to FB's hash key thing. If it works for them, it should work for us.

    0 讨论(0)
  • 梦谈多话
    2020-12-09 16:31

    I was looking into a similar problem and came across this useful thread: http://www.dreamincode.net/forums/topic/208159-protect-plain-string-from-decompilers/

    I'm not too familiar with Android development, but the same ideas should apply.

    0 讨论(0)
 看不清?
提交回复
热议问题