Hiding Secrets in Obfuscated Android Code
When obfuscating Android code with tools like ProGuard, it's common to discover that sensitive strings remain visible after decompilation. To address this concern, here are some strategies for concealing strings from prying eyes:
Encoding and Encryption
ProGuard does not provide mechanisms for hiding strings. Instead, consider implementing your own encoding or encryption methods. For basic obscurity, encoding using methods like Base64 can suffice. For more rigorous protection, encrypt the strings using symmetric ciphers like AES through classes like javax.crypto.Cipher.
Remember that encrypting strings requires storing the encryption key in the application, which can compromise security.
Example:
Before:
<code class="java">public class Foo { private String mySecret = "http://example.com"; }</code>
After:
<code class="java">public class Foo { private String encrypted = "<manually created encrypted string>"; private String key = "<key used for encryption"; private String mySecret = MyDecryptUtil.decrypt(encrypted, key); }</code>
R Class Strings
The R class strings you mention (e.g., 2130903058) are references to resource IDs. They are not random numbers but rather point to resources such as layout files. During obfuscation, references to resources are replaced with these IDs to reduce code size.
When decompiling the code, the R class may not be present because its internal structure is mangled by obfuscators. However, the IDs still represent the original resource references.
Third-Party DRM
Consider using a dedicated Digital Rights Management (DRM) solution instead of implementing your own protection measures. Google provides a licensing service for Android that can be more secure than custom solutions.
The above is the detailed content of How can I effectively hide sensitive strings in obfuscated Android code after decompilation?. For more information, please follow other related articles on the PHP Chinese website!