I have an URL which returns JSON string with my data. Now, I would like to keep this data in secret, so only my Android application could display it.
My first idea was to encode data with private key (on the server-side) and store the same private key in the application, so it can decode the message. However, attacker (user) can decomplie the .apk and obtain the private key.
- Do you have an idea how to secure it?
- Decompiling Java is simple. How about Android .apk? I heard that there is something called ProGuard – does Android use this by default and does it secure the code?
This generally cannot be done: if the user needs to see the data, they have to be able to decrypt it, etc. You can make it somewhat harder by not storing the data on disk, etc., but a determined user/attacker can dump memory, use a debugger, etc. to see the data. Think about what threats you are trying to protect from first, and then decide on a course of action.
If you want only your app to be able to download the data, you need to use some sort of authentication + SSL. If you hardcode a key or password in the app, it is fairly easy to extract it, so that doesn’t buy you much. If you make the user enter the password each time they use the app, they will get frustrated quickly and leave a bunch of 1-star ratings. A middle ground would be to use some sort of token-based authentication, such as OAuth (or ClientLogin, if you really have to, but it is being deprecated) and have the user authenticate with their existing account, so that they don’t have to register and remember yet another password. Most Android devices already have a Google Account setup, so you can use that, but this requires additional permissions and user consent (confirmation dialog).