Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have an mcrypt encryption and decryption routine within one of my Android apps. This is essentially decrypting a string which is fetched via. remote call. Naturally the “secret key” is stored within the code, but anyone with apktool can obviously see the code and see my secret key.
Is there anyway to encrypt all the Java code so that even if de-compiled it would not be readable/understandable?
I’ve heard of ProGuard, but from reading about it, doesn’t seem sufficient for this purpose.
You should never put a secret key inside code. Compiled code can be easily reverse-engineered and anyone with a debugger can hook to the point where the actual key is created. Security always relies on the algorithm, it is assumed that the client code is public and a potential attacker has a copy.
Hiding literals in code just delays the attacker in the process of getting the key, but it doesn’t prevent it in any way.