How Can Sensitive Strings Be Hidden in Obfuscated Code?

Hiding Sensitive Strings in Obfuscated Code

Obfuscating code to protect proprietary information is a common practice, but discerning eyes can still uncover hidden strings. To effectively conceal sensitive data, consider the following techniques:

Encoding vs. Encryption

If the objective is to deter casual inspection, encoding can suffice. The android.util.Base64 class offers a convenient method. However, encoding provides negligible security.

For stronger protection against attackers, symmetric encryption with a cipher like AES is recommended. The javax.crypto.Cipher class provides an example of its usage.

Manual Encryption and Decryption

Implement encryption and decryption manually following these steps:

1. Encrypt the string with a known key.
2. Update the code to use the decrypted version of the string (e.g., use MyDecryptUtil.decrypt(encrypted, key) instead of mySecret = "http://example.com").

Third-Party DRM Solutions

Consider using third-party DRM solutions like Google's licensing server. They offer potential security benefits over self-rolled solutions, but still have limitations similar to manual encryption and decryption.

R Class Strings

The R class strings you mentioned in your code are references to resources. Obfuscators like ProGuard do not obfuscate the R class itself but rather the references to the resource IDs. They maintain the same number but change the mapping that points to the actual resource.

In this case, 2130903058 references a layout file. Without the decompiled R class, you cannot directly retrieve the resource it represents, but it is still an address to the binary data of the resource.

The above is the detailed content of How Can Sensitive Strings Be Hidden in Obfuscated Code?. For more information, please follow other related articles on the PHP Chinese website!