Monday, May 27, 2013
Friday, March 1, 2013
When you're using an Android library project as the base code for multiple projects, it's handy to rely on resource overrides for configuration parameters. For example, you could use a strings resource file that points to different URLS, etc. While doing this is quite handy, you must also consider that resource files are very easy to extract using apktool, so if you are concerned about keeping any of this configuration data secure, you're going to have to take some extra precautions.
Our high level strategy will be to do the following.
- Encrypt our application license key (obtained via the Google Developer Console) using a hardcoded encryption key (think password).
- Base64 the encrypted 'cipher' text.
- Use this encrypted/base64 encoded value in our strings resource file.
Since it's hard to get around hardcoding your secret key (the keyBytes in our sample code) using this strategy, it would be naive to assume this is 100% foolproof. A persistent minded individual could still decompile your app, discover the byte array you used for encryption, and then reverse the entire process. Your job is to make this as difficult as you can reasonably make it. You could store your key in multiple byte arrays and combine them when needed, for instance. I won't go into specific methods here, but the point is to be creative. Using a code obfuscation tool such as proguard will help, or at the very least use non-obvious/misleading method names to perform these operations.