How to secure string in Android Application?

Question

How to secure string in Android Application ?

Options:

1. ProGuard: It does not secure string? Does proguard work to obfuscate stati

Answer 1

For String encryption we have created an gradle plugin to hide your keys inside your Android app using the NDK and XOR operator. The goal is to obfuscate your keys to prevent reverse engineering of your app.

You can optionally provide a custom encoding/decoding algorithm to improve the security of your key.

Access to the plugin and all the details : https://github.com/klaxit/hidden-secrets-gradle-plugin

Answer 2

Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.

So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.

If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.

Perhaps if you could give us the intended workflow, you could get more useful suggestions?