Home/ Questions/Q 8444095
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T09:19:00+00:00

I am confused by this bit of advice from http://developer.android.com/guide/google/play/billing/billing_integrate.html#billing-signatures To keep your public

  • 0

I am confused by this bit of advice from http://developer.android.com/guide/google/play/billing/billing_integrate.html#billing-signatures

To keep your public key safe from malicious users and hackers, do not
embed your public key as an entire literal string. Instead, construct
the string at runtime from pieces or use bit manipulation (for
example, XOR with some other string) to hide the actual key. The key
itself is not secret information, but you do not want to make it easy
for a hacker or malicious user to replace the public key with another
key.

Does this mean that

String one = "thisIs";
String two = "MyKey";
String base64EncodedPublicKey = one + two;
PublicKey key = Security.generatePublicKey(base64EncodedPublicKey);
verified = Security.verify(key, signedData, signature);

is safer than

String base64EncodedPublicKey = "thisIsMyKey";
PublicKey key = Security.generatePublicKey(base64EncodedPublicKey);
verified = Security.verify(key, signedData, signature);

? If not, could you please give me an example in code of how to do this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes. Although in this case you’re just concatenating strings which is not much better. The reason for this is that somebody could easily disassemble your code and access your public key. If you have to reassemble the key, it makes it much more challenging to grab the key out of the disassembled code.

    • 0